Virus Characteristics
Aliases
- Kaspersky - Exploit.JS.Pdfka.fvj
- NOD32 - JS/Exploit.Pdfka.PLM
- Sophos - Troj/PdfJs-XW
- Microsoft- Exploit:Win32/Pdfjsc.ABS
“Exploit-PDF.px” is the detection for specially designed PDF files that attempt to exploit software vulnerabilities in Adobe Acrobat and Adobe Reader.
These PDF files contain an obfuscated JavaScript, when loaded (as when the files are opened in a vulnerable version of Adobe Acrobat or Adobe Reader) .The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware from malicious site.
Some of the vulnerabilities that various “Exploit-PDF.px” samples have been known to exploit are
CVE-2009-0927
And It creates the following files in the below location
- %Temp%\AcrF9B2.tmp
- %Temp%\AcrF9B3.tmp
- %Temp%\AcrF9B4.tmp
The below folders has been created to the system
- %AppData%\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary
- %AppData%\Adobe\Linguistics\Dictionaries\Adobe Custom Dictionary\all
The following registry keys has been created
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
The following registry values has been modified to the system
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version: "3.0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version: "1.1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\: "{C523F390-9C83-11D3-9094-00104BD0D535}"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\: "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"
- HKEY_USER\S-1-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 80 7E 39 29 A0 31 C6 01 01 00 00 00 C0 A8 C7 96 00 00 00 00 00 00 00 00