Technical Details
This exploit program downloads other malicious programs via the Internet and launches them for execution on the victim machine without the user's knowledge or consent. It is a PDF file containing Java Script. It is 61 377 bytes in size.
Payload
The malicious PDF document contains compressed data streams, which unpack when the document is opened and consist of obfuscated Java Script. To execute its malicious code, the malware exploits vulnerabilities that occur when calling the functions Collab.collectEmailInfo() (CVE-2007-5659), Collab.GetIcon() (CVE-2009-0927), and util.printf() (CVE-2008-2992) in Adobe Reader and Adobe Acrobat versions 9.1, 8.1.3, and earlier. After exploiting this vulnerability, the malware downloads a file from the link:
http://208.***.96/242a38/?c=1&sid=372149b73741e8b0f06951d1a6302083&s=3
At the time of writing, this link was inactive.
The downloaded file is saved in the current user's temporary folder under the following name:
%Temp%\<rnd1>.tmp.exe
where <rnd1> is a random sequence of numbers and letters.
The downloaded file is then launched for execution and the exploit program ceases running.
Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
%Temp%\<rnd1>.tmp.exe - Empty the Temporary Internet Files directory, which may contain infected files (see How to delete infected files from Temporary Internet Files folder?):
%Temporary Internet Files%
Žádné komentáře:
Okomentovat