- MD5 - 14BED33B450C3804B8731741FFE12C18
- SHA - 543D3B119C39158C918C7988C43503B38F0F1D2C
[The above mentioned files are same copies with different names]
The downloaded Trojan steals the compromised user's Physical address [MAC Address] and sends it to the remote attacker.
Also, the exploit connects to the site "updates.bcc[removed].net"
[Where %WinDir% is the Windows Directory, for example C:\Windows]
-- Update January 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/
-- Update January 04th, 2010--
Today we came across a new PDF file which exploits another vulnerability in Adobe Acrobat Reader. When run, it exploits the Adobe Doc.media.newPlayer() Stack Overflow Vulnerability, CVE-2009-4324.
The exploit drops two files to the system, and crashs the Adobe Reader process. The dropped files are:
(where %TEMP% point to the temporary folder of the logged user, and %WINDOWS% point to the Windows installation directory)
Both files are already detected as W32/IRCbot.worm and Generic Dropper.op
The exploit did not worked when the Data Execution Prevention (DEP) is enabled on the system. This configuration is on by default in Windows XP SP2 and SP3. In this case, the only behaviour detected was the crash of the Adobe process.
This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader. When run, it exploits the Adobe getIcon() Stack Overflow Vulnerability, CVE-2009-0927. The exploit connects to the following URL:
It downloads a Trojan that is detected as Generic.dx!gsi (or as other names).
For more information about the vulnerability, please refer to Adobe's disclosure: