For Home

Virus Profile: Exploit-PDF.i

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/19/2009
Date Added: 1/19/2009
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 5500
Removal Instructions
   
 
 
   

Description

This detection covers trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader.

Indication of Infection

  • Presence of the mentioned files.

Methods of Infection

The malicious PDF file may be sent via e-mail or downloaded from a remote site.
   

Virus Characteristics

------------Update May 16, 2012-------------------------------

Newer variants have also exhibited the following behavior:

Exploit-PDF.i is a malicious PDF that contains exploits for CVE-2010-2883, CVE-2010-3654 and CVE-2011-0611. Successful exploitation will install a backdoor Trojan that could allow unauthorized access to an infected host.

  • %UserProfile%\Local Settings\Temp\winword.js (detected as VBS/Dropper.a)
  • %UserProfile%\Local Settings\Temp\Adobe.pdf (benign)
  • %UserProfile%\Local Settings\Temp\~~tempq.tmp.bat (later deleted)
  • %UserProfile%\Local Settings\Temp\~~tempq.tmp.dat (later deleted)
  • %UserProfile%\Local Settings\Temp\~~tempq.tmp (later deleted)
  • %UserProfile%\Local Settings\Application Data\Windows Update\wuauserv.exe (detected as Generic BackDoor.u)
  • %UserProfile%\Local Settings\Application Data\Windows Update\wuauserv.dll (detected as Generic BackDoor.u)


The benign PDF ‘Adobe.pdf’ will load so as not to alert the user that anything has occurred unexpectedly.

Upon execution of the malicious files, they are deleted and the following files are added to the system:

  • %UserProfile%\Local Settings\Application Data\Windows Update\wuauserv.exe (detected as Generic BackDoor.u)
  • %UserProfile%\Local Settings\Application Data\Windows Update\wuauserv.dll (detected as Generic BackDoor.u)

Contact may be made with the following domain:

  • faq.ant[removed].org

This domain did not appear functional at the time of testing. The domain is using a self-signed, untrusted certificate:

 

Mitigation:

  • If possible,  block access to the ports  and monitor and block mentioned URI
  • Users who have been known to be infected are requested to change their passwords.

Restart Mechanism:

The following registry entry is added to the host to restart upon reboot:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
    Data: [aforementioned location]\wuauserv.exe

Mitigation:

  • Disable any such Run keys


-----------------------------------------------------------------

This detection covers trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader.

When successful, the following files are dropped and installed:

  • %UserProfile%\Local Settings\Temp\svchost.exe (Backdoor-DTJ trojan)
  • %UserProfile%\Local Settings\Temp\temp.exe (Generic Dropper.ck trojan)

(Where %UserProfile% is the Windows user profile folder, e.g. C:\Documents and Settings\USER, %SystemDir% is the Windows system folder, e.g. C:\Windows\System32)

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.