Internet threat level: 1
Home→Descriptions→Exploit.JS.Pdfka.dcm
Exploit.JS.Pdfka.dcm
| Detected | Dec 29 2010 06:41 GMT |
| Released | Dec 29 2010 12:12 GMT |
| Published | Mar 22 2011 08:19 GMT |
Payload
Removal instructions
Technical Details
This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing Java Script. It is 5195 bytes in size.
Payload
The malicious PDF document contains a compressed data stream which unpacks when the document is opened and consists of obfuscated Java Script. After executing the decrypted script, the exploit determines which version of the Adobe product is installed on the system, as well as determining the version of the Adobe Acrobat Escript plug-in. Next, depending on the version, it exploits this product's vulnerability. Versions 6, 7, and 8 of the Adobe Reader and Acrobat products are vulnerable, as are versions 7.1, 7.11, 8.12, 8.13, 8.17, 9, 9.1, and 9.2 of the "EScript" plug-in.
The exploit uses vulnerabilities that occur when processing the method Doc.media.newPlayer (CVE-2009-4324), and when calling up the functions Collab.collectEmailInfo() (CVE-2007-5659), Collab.GetIcon() (CVE-2009-0927), and util.printf() (CVE-2008-2992).
Depending on the vulnerability used, the malware downloads a file located at one of the following links:
http://de***o.cc/nnakdw/forum.php?f=PDF (GetIcon) &key=9b562fa34ce9c8505cbeab290c0c9f46&u=root http://de***o.cc/nnakdw/forum.php?f=PDF(newPlayer) &key=9b562fa34ce9c8505cbeab290c0c9f46&u=root http://de***o.cc/nnakdw/forum.php?f=PDF (printf) &key=9b562fa34ce9c8505cbeab290c0c9f46&u=root http://de***o.cc/nnakdw/forum.php?f=PDF(Collab) &key=9b562fa34ce9c8505cbeab290c0c9f46&u=rootThe downloaded file is saved in the current user's temporary files directory under the name:
%Temp%\a.exeThe malware then launches the downloaded file for execution. At the time of writing, these links were inactive.
Removal instructions
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Install these updates:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://www.adobe.com/support/security/bulletins/apsb09-06.html
http://www.adobe.com/support/security/bulletins/apsb08-13.html
http://www.adobe.com/support/security/advisories/apsa09-07.html - Delete the following file:
%Temp%\a.exe
- Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.
Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.
Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.
Exploit.
- Mal/PDFJs-W (Sophos)
- Exploit:
Win32/Pdfjsc. LM (MS(OneCare)) - Exploit.
PDF. 1896 (DrWeb) - a variant of Win32/Agent.
ITPSICH trojan (Nod32) - JS/Exploit.
Pdfka. OOV trojan (Nod32) - JS:
Pdfka-AWS [Expl] (AVAST) - Trojan.
Gen. 2 (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.