Follow:

 

Exploit:SWF/CVE-2011-0611.A


Exploit:SWF/CVE-2011-0611.A is a detection for specially crafted malicious code within a Shockwave Flash (SWF) file. The malicious code attempts to exploit a vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code. The vulnerability is described in CVE-2011-0611 and Adobe Security Advisory APSA11-02.



What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
 
Review information about the vulnerability described in CVE-2011-0611 and Adobe Security Advisory APSA11-02.

Threat behavior

Exploit:SWF/CVE-2011-0611.A is a detection for specially crafted malicious code within a Shockwave Flash (SWF) file. The malicious code attempts to exploit a vulnerability in Adobe Flash Player that could lead to the execution of arbitrary code. The vulnerability is described in CVE-2011-0611 and Adobe Security Advisory APSA11-02.

Installation

In the wild, this exploit was observed to be distributed in a spammed email message as an attached file named "Disentangling Industrial Policy and Competition Policy in China.doc". The attached file is a Microsoft Word document containing an embedded copy of the exploit.

Upon opening the Word document on a vulnerable system, the SWF file will be run. The embedded SWF drops a trojan, detected as Backdoor:Win32/Poison.M, as the following file:

%temp%\scvhost.exe

The dropped malware is executed.

Additional Information

For more information about Backdoor:Win32/Poison.M, see the description elsewhere in the encyclopedia.

Analysis by Jaime Wong


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.101.1291.0
Latest detected by definition: 1.101.1424.0 and higher
First detected on: Apr 12, 2011
This entry was first published on: Apr 12, 2011
This entry was updated on: Apr 13, 2011

This threat is also detected as:
No known aliases