G DATA Software AG: Antivirus, Virenschutz, Virenscanner, Internet Security

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as FLV Player, PDF Reader, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a toolbar.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Iframe detections mainly occur when an Iframe is injected into a website and this Iframe tries to redirect a website visitor to a malicious other website. The visitor normally does not notice this action. Regarding Trojan.Iframe.ADD: Malicous code was injected into all index domain files with .html, .php, and .js file extensions. This code has two functions: First of all, it detects the user's browser and version and secondly, it inserts an Iframe with the functionality as descibed above.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

A redirector redirects website visitors to other targets. The redirect target is disguised using e.g. obfuscation technology in JavaScript, so that the actual target URL is only constructed in the user's browser. The redirector itself does not compromise the user's system. However, it will redirect the user to potentially malicious websites without any user involvement and is therefore a popular means of disguising the source of the actual attack.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This detection belongs to the category of potentially unwanted programs (PUP) and comes in free software packages from programs such as FLV Player, PDF Reader, etc., which are downloaded from sources other than the provider. Those software packages often come bundled with extras the user potentially does not want to have, such as a toolbar or a function to change the browser start page or similar. In this current case, the software wants to install a toolbar.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This detection belongs to the Sirefef Trojan family's rootkit component. It copies its own .dll with variable names into the Windows system folder (/WINDOWS/system32). Furthermore, it performs several other system modifications to disguise the Sirefef Trojan malware. Its main intention is to manipulate search engine results in web browsers to lead users to click on the manipulated results and therefore generate money for the attackers (pay per click ads).

Win32:Agent-ANTB [Trj] steals information from the infected system, e.g. data for casino online games. After the installation, the Trojan traces the infected system's external IP and tries to connect to various (IRC) servers and websites (online games, advertisement sites, ...).

Adware is generally secretly installed, as part of manipulated versions of legit software, such as e.g. DivX Player or similar. The infected software is not downloaded from the original vendor but from third parties. In case of Win32.Adware.WSM, the manipulated versions install plug-ins for the Internet Explorer and Google's Chrome Browser, without the user's consent.

Iframe detections mainly occur when an Iframe is injected into a website and this Iframe tries to redirect a website visitor to a malicious other website. The visitor normally does not notice this action. Regarding Trojan.Iframe.AAO: This is a detection of Iframes that lead to Blackhole Exploit Kits amongst others.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This is a key generator. It is very popular in P2P networks and warez websites as it allegedly allows the use of software that one otherwise would need to pay for. Running this application is not only a legal issue but has many security risks as well.

Adware is generally secretly installed, as part of manipulated versions of legit software, such as e.g. DivX Player or similar. The infected software is not downloaded from the original vendor but from third parties. In case of Win32.Adware.WSM, the manipulated versions install plug-ins for the Internet Explorer and Google's Chrome Browser, without the user's consent.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The alleged sponsors of this latest software are 'Click Potato' and 'Hotbar'. All packets are digitally signed by a certain "Pinball Corporation", and the adware will automatically run whenever Windows starts, integrating itself as a systray icon.

Adware belongs to the category of potentially unwanted programs. Adware.Hotbar.GG is a Browser Helper Object (BHO): a "Smartshopper" toolbar, "Shopping Report" toolbar or something similar. The files are digitally signed by "Pinball Corporation" or, in some cases, by "Smartshopper Technologies", too. The browser add-in referred to previously provides price comparisons on products and offers special services provided by partners of the Pinball company.

Win32.Sality.3 is a file infector and therfore a real virus. It infects PE files (portable executable files, for example EXE and SCR files). Win32.Sality.3 installs a rootkit and the safe mode in Windows doesn't work anymore after an infection. The safe mode scenario will end in a Blue Screen. Additionally, the Windows Firewall, Windows Update mechanism and the warning about missing or too old anti virus products installed are disabled by this virus.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This Java-based malware program is a download applet that tries to use a security vulnerability (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it downloads a .dll file. This file is not executed immediately but registered as a service with the help of the Microsoft Register Server (regsvr32). Thus, it is automatically started upon system start.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This detection is connected to the potential spreading of Adware and was mainly found on free hosting websites. It is checked whether the current visitor's IP has been accessing the website within the last 30 minutes already. In case it hasn't, the IFrame initiates the advertisement's delivery and this can potentially be infected.

This is a key generator. It is very popular in P2P networks and warez websites as it allegedly allows the use of software that one otherwise would need to pay for. Running this application is not only a legal issue but has many security risks as well.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

Gen:Variant.Kazy.45847 belongs to the group of potentially unwanted programs (PUP). It is a .dll file named solidcore32.dll, which is used to crack the computer game Anno 2070. The modification of the game file is detected as malicious.

This Java-based malware program is a download applet that tries to use a security vulnerability (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it downloads a .dll file. This file is not executed immediately but registered as a service with the help of the Microsoft Register Server (regsvr32). Thus, it is automatically started upon system start.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

Win32:DNSChanger-VJ [Trj] is part of a Rootkit. It tries to protect other malware components, for example by blocking access to update sites for security updates and signature updates. Any access to the website hosts will be resolved to "localhost", which effectivly will make it unreachable. That's the reason why it is called DNSChanger, because it manipulates DNS-resolutions.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

This is a key generator. It is very popular in P2P networks and warez websites as it allegedly allows the use of software that one otherwise would need to pay for. Running this application is not only a legal issue but has many security risks as well.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The alleged sponsors of this latest software are 'Click Potato' and 'Hotbar'. All packets are digitally signed by a certain "Pinball Corporation", and the adware will automatically run whenever Windows starts, integrating itself as a systray icon.

PDF:Exploit.JS.V is a JavaScript-based exploit (CVE-2010-0188) against some Acrobat Reader versions 8 (< 8.21) and 9 (< 9.31). The malicious PDF contains an obfuscated javascript that will allow arbitrary code execution within the Acrobat Reader process. The shellcode can download an arbitrary file from a websever to %TEMP% and will execute it afterwards - the downloaded code can potentially be any malware.

Generic.Adware.Adseo.7722145B is, as the name suggests, a generic detection. Adware belongs to the category of potentially unwanted programs. When installing various types of freeware, add-on software is often installed as well as the software you actually want – the "do not install" option is often overlooked by users. This usually happens, when software is downloaded from sources other than the provider.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

Generic.Adware.Adseo.38E3FFEE is, as the name suggests, a generic detection. Adware belongs to the category of potentially unwanted programs. When installing various types of freeware, add-on software is often installed as well as the software you actually want – the "do not install" option is often overlooked by users. This usually happens, when software is downloaded from sources other than the provider.

This malware is connected to a website hosting erotic contents. The site has two invisible iframes embedded to load further malware from another domain into the website initially visited. On the one hand, this conceals the malware's source and on the other hand, the cyber criminals can easily exchange/renew the deposited malware without the need to change the infecting site.

This Trojan is a manipulated Java applet that can be found on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

This Java-based malware program is a download applet that tries to use a security vulnerability (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it downloads a .dll file. This file is not executed immediately but registered as a service with the help of the Microsoft Register Server (regsvr32). Thus, it is automatically started upon system start.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

Generic.Adware.Adseo.7722145B is, as the name suggests, a generic detection. Adware belongs to the category of potentially unwanted programs. When installing various types of freeware, add-on software is often installed as well as the software you actually want – the "do not install" option is often overlooked by users. This usually happens, when software is downloaded from sources other than the provider.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

Generic.Adware.Adseo.38E3FFEE is, as the name suggests, a generic detection. Adware belongs to the category of potentially unwanted programs. When installing various types of freeware, add-on software is often installed as well as the software you actually want – the "do not install" option is often overlooked by users. This usually happens, when software is downloaded from sources other than the provider.

This Java-based malware program is a download applet that tries to use a security vulnerability (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it downloads a .dll file and registers it as an ActiveX component.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The alleged sponsors of this latest software are 'Click Potato' and 'Hotbar'. All packets are digitally signed by a certain "Pinball Corporation", and the adware will automatically run whenever Windows starts, integrating itself as a systray icon.

Adware belongs to the category of potentially unwanted programs. Adware.Hotbar.GG is a Browser Helper Object (BHO): a "Smartshopper" toolbar, "Shopping Report" toolbar or something similar. The files are digitally signed by "Pinball Corporation" or, in some cases, by "Smartshopper Technologies", too. The browser add-in referred to previously provides price comparisons on products and offers special services provided by partners of the Pinball company.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider.
Adware.Agent.NGZ is a simple program and is hidden in free tutorials for popular software programs. It opens an advertizing website on ads.eorezo.com, every time the browser is used. This most probably generates money per click for the operator. Adware.Agent.NGZ is a successor of Adware.Agent.NFT who treats the URL differently.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The alleged sponsors of this latest software are 'Click Potato' and 'Hotbar'. All packets are digitally signed by a certain "Pinball Corporation", and the adware will automatically run whenever Windows starts, integrating itself as a systray icon.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider.
Adware.Agent.NGZ is a simple program and is hidden in free tutorials for popular software programs. It opens an advertizing website on ads.eorezo.com, every time the browser is used. This most probably generates money per click for the operator.

This exploit takes advantage of the vulnerability in the Java Runtime Environment, described in CVE-2010-0094. If the exploit is successful, the attacker can bypass the Java sandbox restrictions and execute malicious code, which, for example, can then download further malicious code. The danger lurks in manipulated Java applets, which are often integrated into web pages.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

JS:Downloader-AUY [Trj] is an obfuscated javascript that can trigger other malware, mainly exploits.
JS:Downloader-AUY has been part of a "malware chain" already. It starts with this, or some comparable JS:Downloader, executed by the web browser. It unpacks obfuscated HTML-Code, which the browser should interpret to load a malicious Java Applet. This Java applet contains an exploit, for example one against CVE-2010-0840. If this exploit is successful, the attacker can bypass the Java sandbox restrictions and execute malicious code, which, for example, can then download further malicious code, e.g. a FakeAV, a kind of banking Trojan, some ransomware or anything else.

This exploit uses a faulty verification of .lnk and .pif files in the processing of Windows shortcuts and is known as CVE-2010-2568 since mid-2011. As soon as a manipluated version of these files is opened in Windows, to display the included icon in Windows Explorer, the attacker's code is executed immediately. This code can be loaded from a local file system (e.g. from a removable storage device that also hosts the manipulated .lnk file) or via WebDAV share over the Internet.

This Trojan pretends to be a normal .wma audio file, albeit one that can only be played after installing a special codec/decoder on Windows systems. If a user executes the file, the attacker can install all kinds of malicious code on the system. The infected audio files are primarily spread via file sharing networks.

This malicious software program is a worm that spreads using the autorun.inf feature on Windows operating systems. It uses removable media, such as USB flash drives or external hard drives. It is an Internet and network worm that exploits the CVE-2008-4250 vulnerability in Windows.

This is a generic detection that detects both known and unknown malicious autorun.inf files. Autorun.inf files are startup files that can be misused as a distribution mechanism for malicious computer programs on USB devices, removable media, CDs and DVDs.

This adware is generally secretly installed, as part of free software packages from programs such as VLC, XviD, etc., which are downloaded from sources other than the provider. The alleged sponsors of this latest software are 'Click Potato' and 'Hotbar'. All packets are digitally signed by a certain "Pinball Corporation", and the adware will automatically run whenever Windows starts, integrating itself as a systray icon.

Win32.Ramnit.N is a standard file infector that infects executable files (.exe), dynamic libraries (.dll) and HTML files stored on the hard disk. After executing an infected .exe file or loading an infected .dll file, another .exe (the main infector) is dropped to the computer. An autorun function is also created to launch this dropped file upon each reboot. The infector connects to several servers via http or https. However the communication protocol deviates from the norm.
The infector regularly scans every local folder on the hard disk and infects several, if not all, .exe, .dll and HTML files with a dropper. This copies the same file infector as the originally infected file. Infected HTML files contain a VB script that copies the infector when a user opens the website in an IE browser. However, from version 6.0, IE asks whether the script should really be run.

This exploit takes advantage of the vulnerability in the Java Runtime Environment, described in CVE-2010-0094. If the exploit is successful, the attacker can bypass the Java sandbox restrictions and execute malicious code, which, for example, can then download further malicious code. The danger lurks in manipulated Java applets, which are often integrated into web pages.

This Trojan downloader is found in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. These files can be any type of malicious software. The downloader exploits the CVE-2010-0840 vulnerability in order to bypass the Java sandbox and thereby write local data.

Win32.Ramnit.C is a standard file infector that infects executable files (.exe), dynamic libraries (.dll) and HTML files stored on the hard disk. After executing an infected .exe file or loading an infected .dll file, another .exe (the main infector) is dropped to the computer. An autorun function is also created to launch this dropped file upon each reboot. The infector connects to several servers via http or https. However the communication protocol deviates from the norm.

The infector regularly scans every local folder on the hard disk and infects several, if not all, .exe, .dll and HTML files with a dropper. This copies the same file infector as the originally infected file. Infected HTML files contain a VB script that copies the infector when a user opens the website in an IE browser. However, from version 6.0, IE asks whether the script should really be run.

This Trojan downloader is located in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. Such files can be any type of malware. The downloader exploits the CVE-2010-0840 vulnerability to break out of the Java sandbox and write data to the system.