Follow:

 

Exploit:Win32/Pdfjsc.ADF


Exploit:Win32/Pdfjsc.ADF is the detection for specially-crafted PDF files that target software vulnerabilities in Adobe Acrobat and Adobe Reader. The vulnerabilities, discussed in CVE-2010-0188, allow this malware to download and run arbitrary files.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Use up-to-date software

This malware exploits known vulnerabilities in Adobe Acrobat, and Adobe Reader. After removing this threat from your computer, install the updates available from the vendor. You can read more about these vulnerabilities, as well as where to download the software update from the following links:

Threat behavior

Exploit:Win32/Pdfjsc.ADF is the detection for specially-crafted PDF files that target software vulnerabilities in Adobe Acrobat and Adobe Reader. The vulnerabilities, discussed in CVE-2010-0188, allow this malware to download and run arbitrary files.

Installation

Exploit:Win32/Pdfjsc.ADF may be encountered when visiting a compromised webpage that hosts the file, and has been observed to be distributed via the "Blackhole exploit pack". The PDF file contains a malicious JavaScript that exploits a vulnerability, discussed in CVE-2010-0188.

Payload

Downloads arbitrary files

If Exploit:Win32/Pdfjsc.ADF successfully exploits a vulnerable computer, it executes shellcode to download and install other malware. It is known to try to download files from the following servers:

  • cooker.bsaidu.com
  • bootstrap-js.net
  • oildrillinginvestment.net
  • pirate.1000houses.biz

At the time of this writing, the URLs requested by the exploit were unavailable for analysis.

Analysis by Sergey Chernyshev


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.137.568.0
Latest detected by definition: 1.143.479.0 and higher
First detected on: Sep 27, 2012
This entry was first published on: Sep 27, 2012
This entry was updated on: Oct 11, 2012

This threat is also detected as:
  • JS/Pdfka.HD (Command)
  • Exploit.JS.Pdfka.ger (Kaspersky)
  • Pdfka.BJ (Norman)
  • EXP/Pdfka.EO.1 (Avira)
  • Exploit.PDF-JS.GV (BitDefender)
  • Exploit.PDF.2990 (Dr.Web)
  • JS/Exploit.Pdfka.PSC trojan (ESET)
  • Troj/PDFJs-AAS (Sophos)
  • TROJ_PIDIEF.NTB (Trend Micro)