Trojan.ByteVerify exploits the
Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (BID 6221) to gain elevated privileges on the compromised system. When the malicious Java class is executed, it escapes the Java sandbox restrictions using 'Blackbox.class'. It accomplishes this by declaring a new 'PermissionDataSet' with the 'setFullyTrusted' parameter set to 'True'. It then creates a trusted 'PermissionSet' and sets the permission to this by creating its own 'URLClassLoader' class derived from the 'VerifierBug.class'.
The Trojan then loads 'Beyond.class' using the 'URLClassLoader' from the above 'Blackbox.class'. It then gains elevated privileges by invoking the '.assertPermission' method from of the 'PolicyEngine' class in 'Beyond.class'.
It then connects to [http://]www.clavus.net/lst.[REMOVED] and parse the text of that page. It uses text from this page to determine what to set the Internet Explorer start page to. It will also add links to several pornographic websites to the user's Favorites folder.
Finally, the Trojan may also attempt to download and install dialer programs on the compromised system.
