English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.JS.Pdfka.crr

Detected Aug 17 2010 17:57 GMT
Released Aug 18 2010 04:09 GMT
Published Apr 05 2011 12:27 GMT

Technical Details
Payload
Removal instructions

Technical Details

This exploit program uses vulnerabilities in Adobe Reader and in Adobe Acrobat. It is a PDF document containing Java Script scenarios. It is 3727 bytes in size.


Payload

The malicious PDF document contains a compressed data stream, which unpacks when the document is opened and consists of obfuscated Java Script scenarios. Once the script is decrypted, the exploit program uses a vulnerability, which arises when calling the util.printd(), Doc.media.newPlayer (CVE-2009-4324) methods and downloads a file from the Internet from the following link:

http://dru***rma.com/x/loadpdf.php?ids=AMPlayerPDF
The downloaded file is saved in the current user's temporary files directory "%Temp%" as
%Temp%\e.exe
The downloaded file is then launched for execution.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
  2. Delete the following file:
    %Temp%\e.exe
  3. Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?).
  4. Install the following update:
    http://www.adobe.com/support/security/bulletins/apsb09-04.html
  5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: 18A021E8EC3686DBCE781FE35AF88A9F
SHA1: 81C41B5E0DF05E1773A267F6AF473878290A10BE


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Other versions

Aliases

Exploit.JS.Pdfka.crr (Kaspersky Lab) is also known as:

  • Mal/PDFJs-P (Sophos)
  • Exploit/PDF.Gen.B (Panda)
  • Exploit.PDF.1209 (DrWeb)
  • Exploit.PDF-Name.Gen (BitDef7)
  • Exploit.JS.Pdfka (Ikarus)
  • Exploit_c.HUX (AVG)
  • Bloodhound.PDF.23 (NAV)
  • PDF/Suspicious.A (Norman)
  • Exploit.JS.Pdfka.crr [AVP] (FSecure)
  • Exploit.PDF-JS.Gen (v) (Sunbelt)