Trojan-Dropper:Java/Ourt.A silently installs malicious web browser extensions that inject advertising content into the victim's Facebook page and spams their friends list with messages containing malicious file attachments.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Trojan-Dropper:Java/Ourt.A is distributed in malicious VBS files attached to Facebook chat messages. The text of the message may be random, and the attached file will use a filename such as "Watch Thiss!!!.vbs" (or similar enticing wording).

If the recipient clicks on the attached file, it will silently create a folder on the recipient's machine named 'C:\MyFolderakis', into which it drops a zipped file containing 3 components: a BAT file, a Java installer and a JAR file.

The BAT file first checks if Java is installed on the machine; if not, it silently installs Java. The BAT file then runs the JAR file, which copies itself to the Startup folder to stay persistent and then silently installs malicious extensions or add-ons for both the Firefox and Chrome web browsers.

The browser extension will inject advertising content into the victim's Facebook page. It will also spam malicious messages to the victim's Facebook friends list, to further its spread.