1. /
  2. Security Response/
  3. Trojan.ByteVerify

Trojan.ByteVerify

Risk Level 1: Very Low

Discovered:
September 5, 2003
Updated:
July 5, 2010 1:17:51 AM
Systems Affected:
Windows 2000
CVE References:
CVE-2003-0111
Trojan.ByteVerify exploits the Microsoft Java Virtual Machine Bytecode Verifier Vulnerability (BID 6221) to gain elevated privileges on the compromised system. When the malicious Java class is executed, it escapes the Java sandbox restrictions using 'Blackbox.class'. It accomplishes this by declaring a new 'PermissionDataSet' with the 'setFullyTrusted' parameter set to 'True'. It then creates a trusted 'PermissionSet' and sets the permission to this by creating its own 'URLClassLoader' class derived from the 'VerifierBug.class'.

The Trojan then loads 'Beyond.class' using the 'URLClassLoader' from the above 'Blackbox.class'. It then gains elevated privileges by invoking the '.assertPermission' method from of the 'PolicyEngine' class in 'Beyond.class'.

It then connects to [http://]www.clavus.net/lst.[REMOVED] and parse the text of that page. It uses text from this page to determine what to set the Internet Explorer start page to. It will also add links to several pornographic websites to the user's Favorites folder.

Finally, the Trojan may also attempt to download and install dialer programs on the compromised system.
Writeup By: Douglas Knowles
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver