Content

Exploit-PDF.b.gen

Type
Trojan
SubType
Generic
Discovery Date
10/17/2008
Length
9.37 KB
Minimum DAT
5408 (10/17/2008)
Updated DAT
5854 (01/07/2010)
Minimum Engine
5.2.00
Description Added
10/17/2008
Description Modified
05/21/2009 12:27 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Exploit-PDF.b.gen is a generic detection for a specially crafted PDF file that exploits a PDF vulnerability.

One variant contains obfuscated Javascript intended to exploit the util.printf() buffer overflow vulnerability.

It is downloaded from the following domain(s):

  • mart[blocked].cn

The downloaded file can have the following filename(s):

  • ts0w[1].pdf

Symptoms

The presence of a suspicious PDF file downloaded without the user's permission.

Method of Infection

One variant is downloaded by Obfuscated Script.f!58 upon visiting a hijacked Web page.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update May 21, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/05/19/gumblar_google_poisoning_update/

--

Exploit-PDF.b.gen is a generic detection for a specially crafted PDF file that exploits a PDF vulnerability.

Aliases

  • Exploit.Win32.Pidief.auz (Kaspersky)
  • Exploit:Win32/Pdfjsc.AM (Microsoft)

Characteristics

Characteristics -

Exploit-PDF.b.gen is a generic detection for a specially crafted PDF file that exploits a PDF vulnerability.

One variant contains obfuscated Javascript intended to exploit the util.printf() buffer overflow vulnerability.

It is downloaded from the following domain(s):

  • mart[blocked].cn

The downloaded file can have the following filename(s):

  • ts0w[1].pdf

Symptoms

Symptoms -

The presence of a suspicious PDF file downloaded without the user's permission.

Method of Infection

Method of Infection -

One variant is downloaded by Obfuscated Script.f!58 upon visiting a hijacked Web page.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A