Malware Exploit.JS.Pdfka.dmg

Posted: August 30, 2012 in Encyclopedia viruses
Tags:

Virus AlertMalware Exploit.JS.Pdfka.dmg – This program is an exploit that uses for its execution on a user’s vulnerability in the products of Adobe – Reader and Acrobat.

Technical details

This program is an exploit that uses for its execution on a user’s vulnerability in the products of Adobe – Reader and Acrobat. The file is a XFA (XML Forms Architecture) form, which contains malicious script language Java Script. Has a size of 14,529 bytes.

Destructive activity

Initialize and run malicious content XFA form occurs after opening a specially crafted PDF infected document that contains the form. As an event handler “initialize” in XFA form, use obfuscated malicious script Java Script. After removing the obfuscation, the malware exploits a vulnerability, which is due to a buffer overflow when processing invalid arguments “libtiff.dll” (CVE-2010-0188), to load the file, which is located at:

http://a *** gynae.com / exe.php? exp = lib & key = fcfe7c & u = mouth

Then stores the malicious file in the directory where temporary files browser:

% Temporary Internet Files% \ <imya_vremennogo_fayla>

After successfully saving – run the downloaded file to run. At the time of writing, this link was not working. Vulnerable are the products of Adobe Reader and Acrobat 8 ​​(to version 8.2.1), and 9 (to version 9.3.1).

Removal

1. If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Delete the original exploit file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Clear the directory Temporary Internet Files, containing infected files:

% Temporary Internet Files%

3. To update product Adobe Reader and Acrobat, or install the update:

http://www.adobe.com/support/security/bulletins/apsb10-07.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s