For Consumer

Virus Profile: Exploit-PDF.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/29/2006
Date Added: 3/29/2006
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 4729
Removal Instructions
   
 
 
   

Description

Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.

More information regarding this vulnerability can be found at the Adobe site:

 

Indication of Infection

---------------------------Updated on 26 Feb 2013-------------------------------

Because this is a generic detection there is no specific description of the activity undertaken by JavaScript detected under this name, however these can include malicious activity such as downloading and executing files or scripts.

--------------------------------------------------------------------------------------------

The following list of malicious attachment have been observed in the wild:

  • BILL.PDF
  • INVOICE.PDF
  • STATEMET.PDF
  • YOUR_BILL.PDF

Methods of Infection

---------------------------Updated on 26 Feb 2013-------------------------------

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

--------------------------------------------------------------------------------------------

On opening the PDF attachment, code is silently run to perform the following actions.

  • Windows built-in firewall is disabled via the netsh command.
  • Downloads and executes a password stealer from http://81.95.146.[Removed]/ldr.exe
  • This password stealer trojan is detected as Spy-Agent.bg

Aliases

EXP/CVE-5020.A (Avira), EXPL_PIDIEF.B (Trend Micro), Exploit-PDF.a, Exploit.Win32.AdobeReader.b (Kaspersky), PDF/Exploit.Shell.A (ESET), Trojan.Pidief.A (Symantec)
   

Virus Characteristics

---------------------------Updated on 26 Feb 2013-------------------------------------

Aliases

Microsoft    -    Exploit:SWF/CVE-2011-0611.P
Trend        -    TROJ_PIDIEF.VEV

“Exploit-PDF” is the detection for the fake Mandiant report. Once the pdf is opened it drops an executable and creates a new process under the name "AdobeArm.tmp" which was as detected as Backdoor-FAMA. It may appear as an attachment to a spammed email message as an attached file named “mandiant_apt[version]_report.pdf”

“Exploit-PDF” is the detection for specially crafted PDF files that attempt to exploit software vulnerabilities in Adobe Acrobat, Adobe Flash and Adobe Reader. The PDF document requests the user to enter the password if the user enters the password successfully it drop files under %temp% location.

Trojan checks the installed component versions such as Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allows remote attackers to execute arbitrary code via a crafted PDF document.

Some of the vulnerabilities that various “Exploit-PDF” samples have been known to exploit are:

CVE-2013-0641
CVE-2011-2462 

Upon execution the PDF document requests the user to enter the password if the user enters the password successfully it drop files in the following location and open the Mandiant report:

  • %Temp%\AdobeArm.tmp [Detected as Backdoor-FAMA]
  • %Temp%\Mandiant_APT2_Report.pdf
  • %Temp%\winbha.dat
  • %AppData%\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
  • %AppData%\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F
  • %AppData%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
  • %AppData%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr0.dat
  • %AllUsersProfile%\Application Data\Microsoft\Network\Downloader\qmgr1.dat

The Trojan tries to execute the dropped file and later it tries to connect the following sites in order to receive commands from the remote attacker that to access the infect machine: 

  • itsec.e[Removed]p.net
  • 0.0.[Removed].0
  • 24.131.[Removed].63
  • 190.48.[Removed].199

The following are the registry keys have been added to the system:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum

The following are the registry key value has been added to the system:

HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Run\Load: "%Temp%\AdobeArm.tmp"

The above mentioned registry key value ensures that the Trojan registers with the compromised system and execute itself upon system boot.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\CtlGuid\
    • Guid: "GUID"
    • BitNames: " LogFlagInfo LogFlagWarning LogFlagError LogFlagFunction LogFlagRefCount LogFlagSerialize LogFlagDownload LogFlagTask LogFlagLock LogFlagService LogFlagDataBytes LogFlagTransferDetails"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\BITS\
    • LogSessionName: "stdout"
    • Active: 0x00000001
    • ControlFlags: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\BITS_metadata: '%AllUsersProfile%\Application Data\Microsoft\Network\Downloader\*'
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\Control\
    • *NewlyCreated*: 0x00000000
    • ActiveService: "BITS"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\0000\
    • Service: "BITS"
    • Legacy: 0x00000001
    • ConfigFlags: 0x00000000
    • Class: "LegacyDriver"
    • ClassGUID: "{GUID}"
    • DeviceDesc: "Background Intelligent Transfer Service"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BITS\NextInstance: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\
    • 0: "Root\LEGACY_BITS\0000"
    • Count: 0x00000001
    • NextInstance: 0x00000001
The above registry confirms the Trojan confirms the “BITS” service in order to send and receive files.

The following are the registry key values have been modified to the system
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000003
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start: 0x00000002

The above registry confirms the Trojan tries to send and receives files through “BITS” service and set the BITS service start type as automatic.

--------------------------------------------------------------------------------------------------

Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.

More information regarding this vulnerability can be found at the Adobe site:

A user receives an email with a malicious PDF file attached and is requested to open the attachment contained in the message body. A copy of the spammed message is as follows:

Note: The from address is usually spoofed when sending such infectious email messages

Variants

Variants information
Virus Name Type Subtype Differences
Exploit-PDF Trojan Exploit
   

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95