My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Trojan-Downloader.Java.Agent.hx TrojanDownloader:Java/OpenStream.AM Java.Downloader.123)


Increased network activity. The presence of java.exe in the process list.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

JUHOS Csaba-Zsolt, virus researcher

Technical Description:


Java.Trojan.Downloader.OpenConnection.AI is a malicious Java applet that downloads and executes arbitrary files. In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter a to the applet. The applet uses the CVE-2010-0840 exploit to bypass the Java sandbox.
The JAR file contains four class files in the bpac package:
  • KAVS.class;
  • a$1.class;
  • a.class - the applet;
  • b.class - the URL decrypter.
The applet starts out by generating a random name for the executable under the system temporary directory. The name is made up entirely of random digits and has the extension ".exe" appended.
Next, it checks whether the operating system is Windows, by searching for the string Windows in the system property.
If the OS checks out, the applet downloads the file and executes it with a call to Runtime#exec.
The code is somewhat obfuscated, for example, the names of the system properties and appear reversed.
We have observed two variants of the decrypter:
  1. One performs a series of single-character replacements on the URL, then appends
    the string "?i=1".
  2. The other one is a bit more complex, it assumes the URL isn’t encrypted at all, and duplicates some of the applet’s code. It downloads the file at the given URL, assumes it’s a PE executable and checks the Characteristics field of the IMAGE_FILE_HEADER for 0x2000, i.e., IMAGE_FILE_DLL.
    It generates a random name made up of digits for the executable, under the system temporary directory, it appends the proper extension taking into account whether the file is a DLL or an EXE. If it’s an EXE, it executes it with a call to Runtime#exec, just like the applet does, if it’s a DLL, it registers it using regsvr32.