Analysis by: Christopher Daniel So

 PLATFORM:

Windows 98, ME, NT, 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Once a malware successfully exploits the said vulnerability, it causes certain actions to be done on the system.

  TECHNICAL DETAILS

File Size: Varies
File Type: PDF
Memory Resident: No
Initial Samples Received Date: 11 Nov 2009
Payload: Downloads files

Download Routine

This Trojan takes advantage of the following software vulnerabilities to download possibly malicious files:

  • Adobe Multiple Products PDF JavaScript Method Buffer Overflow
  • Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability
  • Adobe Reader And Acrobat util.printf Stack Buffer Overflow

After successfully exploiting the said vulnerability, this malware connects to the following URLs to possibly download other malicious files:

  • http://{BLOCKED}3.com/ajopqw2.exe
  • http://{BLOCKED}3.com/click.php?rs

Other Details

Once a malware successfully exploits the said vulnerability, it causes the following actions to be done on the system:

  • Executes the downloaded files