For Home

Virus Profile: Exploit-pdf!Blacole

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 3/29/2012
Date Added: 3/29/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6663
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases -

  • AVG         - Script/PDF.Exploit
  • Avast        - JS:Pdfka-gen [Expl]
  • Ikarus        -   JS.Pdfka
  • Microsoft     - Exploit:Win32/Pdfjsc.ABA

Indication of Infection

Presence of unexpected connection to the above mentioned sites.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.
   

Virus Characteristics

--------Updated on 12-Oct-2012------

Exploit-PDF!Blacole” is the detection for specially designed PDF files that attempt to exploit software vulnerabilities in Adobe Acrobat and Adobe Reader.

Trojan checks the installed component versions such as Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 and allows the attacker to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

Upon execution the Trojan tries to connect the below URL though remote port 53 in order to download the other payloads and it listens to an random port

Qyi[Removed]h.ftp1.biz

-------- Updated on 19-Apr-2012 -----

Aliases -

    • Kaspersky - Exploit.JS.Pdfka.frz
    • Microsoft - Exploit:Win32/Pdfjsc.RM
    • NOD32 - JS/Exploit.Pdfka.PJU
    • Sophos - Troj/PDFJS-WD

Exploit-PDF!Blacole is a detection for a PDF file that contains an obfuscated malicious JavaScript that attempts to contact remote hosts in order to download arbitrary files.

These PDF files contain an embedded JavaScript, which execute the JavaScript in order to download other malicious files from the following sites to the infected computer

    • hxxp://esales-[removed].com/demo/affili/login
    • hxxp://state[removed].com.au/_derived

The downloaded file may be saved in the Temp folder with any of the following names:
    • style.exe
    • questions.exe

Once the JavaScript is de-obfuscated during run-time, it exploits the vulnerability in Adobe Reader and Acrobat.

More information about this vulnerability as described in CVE-2010-0188.

---------

Exploit-PDF!Blacole is the detection for specially-crafted PDF files that exploit the vulnerability in Adobe Acrobat.

It checks for the version of adobe installed in the system and exploit accordingly. It will work with any version above 8.0 of adobe reader

On successful exploitation of a vulnerable application, malicious code gets executed and it will download the malicious samples from the following links and executes them.

  • N[Removed]s.de/news/inc/news.exe
  • kl[Removed]h.de/chojinskitestet/media/system/swf.exe
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).