Technical Details
This Trojan downloads another program to the computer and launches it for execution without the user's knowledge. It is an XFA form containing Java Script. It is 9166 bytes in size.
Payload
This XFA form is used as an insertion into malicious PDF documents, for the purpose of exploiting vulnerability CVE-2010-0188, which allows the malicious user to execute a random code on the user's computer. This vulnerability has affected Adobe Reader and Acrobat 8 products (versions earlier than 8.2.1) and 9 (versions earlier than 9.3.1). In this case the XFA form causes buffer overflow to download the file located at the following link:
http://videoyahoo.info/tre/boba.html/yH91e5b471V03f01336002R93bf7
c87102Tdcd9ec9eQ0000004c901801F0066010aJ17000601l0015329
and saves it to the current user's temporary directory named:%Temp%\VxHc.exe
The saved file is then launched for execution. At the time of writing, this link was inactive.Removal instructions
If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:
- Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).
- Delete the following file:
%Temp%\VxHc.exe - Empty the Temporary Internet Files directory:
%Temporary Internet Files% - Update Adobe Reader and Acrobat to the latest version or install updates:
http://www.adobe.com/support/security/bulletins/apsb10-07.html - Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).
Žádné komentáře:
Okomentovat