Exploit:Win32/Pdfjsc.ADQ

Exploit:Win32/Pdfjsc.ADQ is a malicious PDF file that exploits a vulnerability in Adobe Acrobat and Adobe Reader.

The vulnerabilities, discussed in CVE-2010-0188, allow this malware to download and run arbitrary files.

The following versions of Adobe Acrobat and Adobe Reader are vulnerable to this exploit:

• Adobe Acrobat and Adobe Reader earlier than 8.2.1
• Adobe Acrobat and Adobe Reader earlier than 9.3.1

Installation

Exploit:Win32/Pdfjsc.ADQ may be encountered when visiting a compromised webpage that hosts the file, and has been observed to be distributed via the "Blackhole exploit pack". The PDF file contains a malicious JavaScript that exploits a vulnerability, discussed in CVE-2010-0188.

Payload

Downloads arbitrary files

If Exploit:Win32/Pdfjsc.ADM successfully exploits a vulnerable computer, it executes shellcode to download and install other malware, including variants from the following families:

• Trojan:Win32/Reveton
• Win32/FakeSysdef
• Win32/Winwebsec
• Win32/Zbot

In the wild, we have observed the malware being downloaded to the %TEMP% folder with the following file names:

• mrz.exe
• pear.exe
• wpbt0.dll

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7, and W8, the default location is "C:\Users\<user name>\AppData\Local\Temp".

Exploit:Win32/Pdfjsc.ADM is known to try to download files from the following servers:

• burn.mobilehomeuniverse.com
• halwaenudimtar.serveftp.com
• jalieesfiqaur.myvnc.com
• ketteler-forum.de
• www.synitech.de

Related encyclopedia entries

Trojan:Win32/Reveton

Win32/FakeSysdef

Win32/Winwebsec

Win32/Zbot

Analysis by Marianne Mallen