Content
Exploit-PDF.a
- Type
- Trojan
- SubType
- Exploit
- Discovery Date
- 03/29/2006
- Length
- Varies
- Minimum DAT
- 4729 (03/29/2006)
- Updated DAT
- 5228 (02/12/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 03/29/2006
- Description Modified
- 02/10/2008 7:51 PM (PT)
Tab Navigation
Characteristics
Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.
More information regarding this vulnerability can be found at the Adobe site:
A user receives an email with a malicious PDF file attached and is requested to open the attachment contained in the message body. A copy of the spammed message is as follows:
Note: The from address is usually spoofed when sending such infectious email messages
Symptoms
The following list of malicious attachment have been observed in the wild:
- BILL.PDF
- INVOICE.PDF
- STATEMET.PDF
- YOUR_BILL.PDF
Method of Infection
On opening the PDF attachment, code is silently run to perform the following actions.
- Windows built-in firewall is disabled via the netsh command.
- Downloads and executes a password stealer from http://81.95.146.[Removed]/ldr.exe
- This password stealer trojan is detected as Spy-Agent.bg
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
- Exploit-PDF
All Information
Overview -
Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.
More information regarding this vulnerability can be found at the Adobe site:
Aliases
- EXP/CVE-5020.A (Avira)
- EXPL_PIDIEF.B (Trend Micro)
- Exploit-PDF.a
- Exploit.Win32.AdobeReader.b (Kaspersky)
- PDF/Exploit.Shell.A (ESET)
- Trojan.Pidief.A (Symantec)
Characteristics
Characteristics -
Exploit-PDF.a is a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer.
More information regarding this vulnerability can be found at the Adobe site:
A user receives an email with a malicious PDF file attached and is requested to open the attachment contained in the message body. A copy of the spammed message is as follows:
Note: The from address is usually spoofed when sending such infectious email messages
Symptoms
Symptoms -
The following list of malicious attachment have been observed in the wild:
- BILL.PDF
- INVOICE.PDF
- STATEMET.PDF
- YOUR_BILL.PDF
Method of Infection
Method of Infection -
On opening the PDF attachment, code is silently run to perform the following actions.
- Windows built-in firewall is disabled via the netsh command.
- Downloads and executes a password stealer from http://81.95.146.[Removed]/ldr.exe
- This password stealer trojan is detected as Spy-Agent.bg
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
- Exploit-PDF
