W32/Yourde

This page shows details and results of our analysis on the malware W32/Yourde

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2003-04-27

Description Modified

2003-04-30

Malware Proliferation

Characteristics

This virus infects PDF documents when using the full version of Adobe Acrobat (version 5.x) for Windows. It does not affect the Acrobat Reader. The virus simply spreads from one document to another and does not cause any system damage. It exploits a vulnerability in Acrobat. For more information on this vulnerability and a patch, see: Adobe Acrobat 5.0.5 Security, Accessibility, and Forms patch - English

The virus works by exporting virus code to your hard disk and configuring Acrobat to import this virus code into each .PDF document that is opened in Acrobat. When a document is saved on the infected system, it becomes a carrier for this virus. The methods used by the virus do not work on the Macintosh systems, however they can be a carrier of the virus when receiving an infected document.

When an infected .PDF file is opened with the full version of Acrobat, javascript within the document is executed. This javascript exports two embedded data objects to the file system:

  • C:\EVIL.FDF
  • %Adobe Plugins Folder%\death.api
Acrobat loads all plugins at runtime. Thus the presence of this .API file in the plugins folder results in Acrobat running this virus code each time the program starts up. This death.api plugin contains javascript to import the EVIL.FDF and death.api files into each document that is opened in Acrobat. The EVIL.FDF file contains the javascript to export the two data objects when an infected document is opened.

The virus contains the string Your_Death

Symptoms

Presence of the following files:
  • C:\EVIL.FDF
  • %Adobe Plugins Folder%\death.api

Method of Infection

Infection summary (similar to a macro virus):

  1. Infected file is opened
  2. Virus is exported to hard disk
  3. Virus is run
  4. Virus is imported in to "clean" document
  5. Document is saved and now a carrier

Removal

The detection and removal of this malware requires an extra.dat, which is available upon request.

Variants