Overview
Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.
More information regarding this vulnerability can be found at the Adobe site:
|
Minimum DAT
4729 (2006-03-29) Updated DAT5928 (2010-03-22) |
Minimum Engine
5.1.00 File LengthVaries |
Description Added
2006-03-29 Description Modified2008-02-10 |
Malware Proliferation
Characteristics
Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.
More information regarding this vulnerability can be found at the Adobe site:
A user receives an email with a malicious PDF file attached and is requested to open the attachment contained in the message body. A copy of the spammed message is as follows:
Note: The from address is usually spoofed when sending such infectious email messages
Symptoms
The following list of malicious attachment have been observed in the wild:
- BILL.PDF
- INVOICE.PDF
- STATEMET.PDF
- YOUR_BILL.PDF
Method of Infection
On opening the PDF attachment, code is silently run to perform the following actions.
- Windows built-in firewall is disabled via the netsh command.
- Downloads and executes a password stealer from http://81.95.146.[Removed]/ldr.exe
- This password stealer trojan is detected as Spy-Agent.bg
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Exploit-PDF