English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Exploit.JS.Pdfka.egr

Detected Jul 15 2011 05:41 GMT
Released Jul 15 2011 07:36 GMT
Published Sep 08 2011 09:22 GMT

Technical Details
Payload
Removal instructions

Technical Details

An exploit that uses the vulnerabilities in Adobe – Reader and Acrobat products for its implementation on the user's computer. The file is an XFA (XML Forms Architecture) containing malicious Java Script. 61136 bytes.


Payload

The malicious XFA form content is initialized and launched after opening a specially created infected PDF document containing this form. As the "initialize" event handler in the XFA form, it uses obfuscated malicious Java Script. After removing the obfuscation, the trojan uses the vulnerability which arises on account of over-filling the buffer when incorrectly processing arguments in "libtiff.dll" (CVE-2010-0188) to download the file located at the following link:

http://vaskda***e.ms/d.php?f=360&e=6
The trojan then saves the file in the browser's temporary file directory:
%Temporary Internet Files%\<name of_temporary_file>
After successfully saving the file, the infected file is then launched for execution. The downloaded file is 34304 bytes and is detected by Kaspersky Antivirus as Trojan-Ransom.Win32.PornoAsset.akv.Vulnerable products include Adobe Reader and Acrobat 8 (up to version 8.2.1) and 9 (up to version 9.3.1).


Removal instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original exploit file (its location on the infected computer will depend on how the program got onto the computer).
  2. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%
  3. Update Adobe Reader and Acrobat or install updates:
    http://www.adobe.com/support/security/bulletins/apsb10-07.html
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


MD5: 0e7597d64683ae34a859ccf6574a5e5e
SHA1: 55c9182e85b8b8622ad6f048d4ea85b651f81c77


Bookmark and Share
Share
Exploit

Exploits are programs that contain data or executable code which take advantage of one or more vulnerabilities in software running on a local or remote computer for clearly malicious purposes.

Often, malicious users employ an exploit to penetrate a victim computer in order to subsequently install malicious code (for example, to infect all visitors to a compromised website with a malicious program). Additionally, exploits are commonly used by Net-Worms in order to hack a victim computer without any action being required from the user.

Nuker programs are notable among exploits; such programs send specially crafted requests to local or remote computers, causing the system to crash.


Other versions

Aliases

Exploit.JS.Pdfka.egr (Kaspersky Lab) is also known as:

  • Trojan: Exploit-PDF.qd.gen (McAfee)
  • Troj/PDFJs-ST (Sophos)
  • Exploit:Win32/Pdfjsc.RF (MS(OneCare))
  • Exploit.PDF.2458 (DrWeb)
  • JS/Exploit.Pdfka.PAE.Gen trojan (Nod32)
  • Exploit.PDF-JS.Gen (BitDef7)
  • JS:Pdfka-BAH [Expl] (AVAST)
  • Virus.PDF.Exploit (Ikarus)
  • Script/PDF.Exploit (AVG)
  • EXP/Pidief.hhg (AVIRA)
  • PDF/Exploit.WB (Norman)
  • Exploit.PDF-JS.Gen (v) (Sunbelt)