Virus Profile: Exploit-CVE2012-5076

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/16/2012
Date Added: 11/16/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6802
Removal Instructions


      An initial threat vector may be hosted on a website in the form of an Applet. The Applet would contain code to exploit CVE-2012-5076.The intent of the exploit is to surreptitiously download and execute additional malware on the infected system. An indication of this may be the presence unusual traffic to unknown domains.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to JAX-WS.

JAX-WS classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild.
The vulnerability can be exploited over multiple protocols. An attacker can exploit this issue to bypass sandbox restrictions and execute arbitrary code in the context of the application.


  • Avira        -    EXP/CVE-2012-5076
  • Microsoft    -    Exploit:Java/CVE-2012-5076.B
  • Symantec    -    Trojan.Maljava
  • Nod32        -    Java/Exploit.CVE-2012-5076.A trojan (variant)

Indication of Infection

  • The exploit may download arbitrary files.
  • This exploit attempts to download and execute additional malware to the infected system.

Methods of Infection

  • This threat exploits an unpatched vulnerability in Sun Microsystems Java.
  • This Trojan can be installed while browsing compromised websites.

Virus Characteristics

  "Exploit-CVE2012-5076" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Java Runtime Environment (JRE) which includes version 7 update 7 and earlier.
Java Applet vulnerabilities, attacker can gain access to the local file system by exploiting CVE-2012-5076 vulnerability and bypassing Security Manager.

Unsigned Java applets run inside a sandbox environment which strictly restricts the applet’s access to system resources like file and process operations. However, when some dangerous packages are exposed to untrusted code, the malicious code can access packages that can be abused to create the user’s own class on the fly with escalated privileges.

From the below code confirms that the malware used util. GenericConstructor class and ManagedObjectManagerFactory class to attack the Java security model. Class util. GenericConstructor is used to create an object from a restricted class (sun.invoke.anon.AnonymousClassLoader) and ManagedObjectManagerFactory’s getMethod method is used to retrieve the method object of “loadClass” from sun.invoke.anon.AnonymousClassLoader class. sun.invoke.anon.AnonymousClassLoader has the ability to load a class and on go it provided byte stream.

Upon the visit of the malicious page, the web browser downloads .jar file and executes it in JVM. If it was just a normal Applet, Security Manager would block its execution; however, the exploit code disables Security Manager, and therefore the code can be executed even on the local system.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!