For Home

Virus Profile: Exploit-PDF.q.gen!stream

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 5/30/2009
Date Added: 5/30/2009
Origin: N/A
Length: varies
Type: Trojan
Subtype: Generic
DAT Required: 5635
Removal Instructions
   
 
 
   

Description

This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader.

Indication of Infection

Presence of network traffic to the URL mentioned above.

Methods of Infection

The malicious PDF file may be sent via e-mail or downloaded from a remote site.

Aliases

Exploit.JS.Pdfka.aek (Kaspersky), Exploit:Win32/Pdfjsc.gen!A (Microsoft)
   

Virus Characteristics

--Update 26/02/2010----

File Information

    • MD5 - 14BED33B450C3804B8731741FFE12C18
    • SHA - 543D3B119C39158C918C7988C43503B38F0F1D2C

This exploit contains the Javascripts which is highly encrypted that downloads a Trojan into the following location after execution of the Pdf file.

    • %WinDir%\windex.exe
    • %WinDir%\winup.exe

[The above mentioned files are same copies with different names]

The downloaded Trojan steals the compromised user's Physical address [MAC Address] and sends it to the remote attacker.

Also, the exploit connects to the site "updates.bcc[removed].net"

[Where %WinDir% is the Windows Directory, for example C:\Windows]

                                                        -------------

-- Update January 5, 2010 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:  http://www.theregister.co.uk/2010/01/04/adobe_reader_attack/

--

-- Update January 04th, 2010--

Today we came across a new PDF file which exploits another vulnerability in Adobe Acrobat Reader. When run, it exploits the Adobe Doc.media.newPlayer() Stack Overflow Vulnerability, CVE-2009-4324.

The exploit drops two files to the system, and crashs the Adobe Reader process. The dropped files are:

. %TEMP%\temp.exe
. %WINDOWS%\system32\hepfixs.exe

(where %TEMP% point to the temporary folder of the logged user, and %WINDOWS% point to the Windows installation directory)

Both files are already detected as W32/IRCbot.worm and Generic Dropper.op

The exploit did not worked when the Data Execution Prevention (DEP) is enabled on the system. This configuration is on by default in Windows XP SP2 and SP3. In this case, the only behaviour detected was the crash of the Adobe process.

--

This detection covers a Trojan in the form of *.PDF files that attempts to exploit a vulnerability in Adobe Reader. When run, it exploits the Adobe getIcon() Stack Overflow Vulnerability, CVE-2009-0927. The exploit connects to the following URL:

hxxp://www.motionvm.com/[blocked]

It downloads a Trojan that is detected as Generic.dx!gsi (or as other names).

For more information about the vulnerability, please refer to Adobe's disclosure:
http://www.adobe.com/support/security/bulletins/apsb09-04.html

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.