The malware is a component of a Trojan downloader and includes a class file named “translator”, which downloads a file from the Internet, from a link sent to it, and launches the downloaded file for execution. The downloaded file is saved in the current user’s temporary files directory as
where <rnd> is a random fractional decimal number between 0 and 1. Before downloading, the malware checks the name of the OS installed on the infected system. If the OS is not Windows, the download does not take place.
The Trojan constitutes a Java applet. It is launched from an infected HTML page using the “<APPLET>” tag, for which an encrypted link to a downloadable file is sent in parameter named “hint”.
As well as the above-mentioned class file, the Trojan contains class files named “ISO” and “UTF”. The “ISO” class file includes the “sikilda” function, which is used to decrypt the link to a downloadable file. The “UTF” class file contains a code designed to exploit a vulnerability (CVE-2010-0840). JDK and JRE up to version 6, 18th update, are vulnerable. This vulnerability appears due to improper verification when executing privileged methods in Java Runtime Environment; this enables the malicious user to execute a random code with a specially modified object, which is a subclass file of the trusted class file.