Content
Exploit-PDF.q.gen!stream
- Type
- Trojan
- SubType
- Generic
- Discovery Date
- 05/30/2009
- Length
- varies
- Minimum DAT
- 5635 (06/03/2009)
- Updated DAT
- 6043 (07/14/2010)
- Minimum Engine
- 5.3.00
- Description Added
- 05/30/2009
- Description Modified
- 02/26/2010 1:05 PM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
--Update 26/02/2010----
File Information
- MD5 - 14BED33B450C3804B8731741FFE12C18
- SHA - 543D3B119C39158C918C7988C43503B38F0F1D2C
This exploit contains the Javascripts which is highly encrypted that downloads a Trojan into the following location after execution of the Pdf file.
- %WinDir%\windex.exe
- %WinDir%\winup.exe
[The above mentioned files are same copies with different names]
The downloaded Trojan steals the compromised user's Physical address [MAC Address] and sends it to the remote attacker.
Also, the exploit connects to the site "updates.bcc[removed].net"
[Where %WinDir% is the Windows Directory, for example C:\Windows]
-------------
-- Update January 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/
--
-- Update January 04th, 2010--
Today we came across a new PDF file which exploits another vulnerability in Adobe Acrobat Reader. When run, it exploits the Adobe Doc.media.newPlayer() Stack Overflow Vulnerability, CVE-2009-4324.
The exploit drops two files to the system, and crashs the Adobe Reader process. The dropped files are:
. %TEMP%\temp.exe
. %WINDOWS%\system32\hepfixs.exe
(where %TEMP% point to the temporary folder of the logged user, and %WINDOWS% point to the Windows installation directory)
Both files are already detected as W32/IRCbot.worm and Generic Dropper.op
The exploit did not worked when the Data Execution Prevention (DEP) is enabled on the system. This configuration is on by default in Windows XP SP2 and SP3. In this case, the only behaviour detected was the crash of the Adobe process.
--
This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader. When run, it exploits the Adobe getIcon() Stack Overflow Vulnerability, CVE-2009-0927. The exploit connects to the following URL:
hxxp://www.motionvm.com/[blocked]
It downloads a Trojan that is detected as Generic.dx!gsi (or as other names).
For more information about the vulnerability, please refer to Adobe's disclosure:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
Symptoms
Presence of network traffic to the URL mentioned above.
Method of Infection
The malicious PDF file may be sent via e-mail or downloaded from a remote site.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader.
Aliases
- Exploit.JS.Pdfka.aek (Kaspersky)
- Exploit:Win32/Pdfjsc.gen!A (Microsoft)
Characteristics
Characteristics -
--Update 26/02/2010----
File Information
- MD5 - 14BED33B450C3804B8731741FFE12C18
- SHA - 543D3B119C39158C918C7988C43503B38F0F1D2C
This exploit contains the Javascripts which is highly encrypted that downloads a Trojan into the following location after execution of the Pdf file.
- %WinDir%\windex.exe
- %WinDir%\winup.exe
[The above mentioned files are same copies with different names]
The downloaded Trojan steals the compromised user's Physical address [MAC Address] and sends it to the remote attacker.
Also, the exploit connects to the site "updates.bcc[removed].net"
[Where %WinDir% is the Windows Directory, for example C:\Windows]
-------------
-- Update January 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/
--
-- Update January 04th, 2010--
Today we came across a new PDF file which exploits another vulnerability in Adobe Acrobat Reader. When run, it exploits the Adobe Doc.media.newPlayer() Stack Overflow Vulnerability, CVE-2009-4324.
The exploit drops two files to the system, and crashs the Adobe Reader process. The dropped files are:
. %TEMP%\temp.exe
. %WINDOWS%\system32\hepfixs.exe
(where %TEMP% point to the temporary folder of the logged user, and %WINDOWS% point to the Windows installation directory)
Both files are already detected as W32/IRCbot.worm and Generic Dropper.op
The exploit did not worked when the Data Execution Prevention (DEP) is enabled on the system. This configuration is on by default in Windows XP SP2 and SP3. In this case, the only behaviour detected was the crash of the Adobe process.
--
This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader. When run, it exploits the Adobe getIcon() Stack Overflow Vulnerability, CVE-2009-0927. The exploit connects to the following URL:
hxxp://www.motionvm.com/[blocked]
It downloads a Trojan that is detected as Generic.dx!gsi (or as other names).
For more information about the vulnerability, please refer to Adobe's disclosure:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
Symptoms
Symptoms -
Presence of network traffic to the URL mentioned above.
Method of Infection
Method of Infection -
The malicious PDF file may be sent via e-mail or downloaded from a remote site.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A