Threat Description

Exploit:​W32/AdobeReader.UZ

Details

Aliases:Exploit.PDF-JS.Gen, Exploit.JS.Pdfka.atq
Category:Malware
Type:Exploit
Platform:W32

Summary



A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The detection Exploit:W32/AdobeReader.UZ identifies a malicious PDF document that attempts to exploit a known vulnerability in order to drop and run a malicious executable file on the system.

The exploit-code will not drop the executable if any of the following folders exist on the system:

  • C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009
  • C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009
  • C:\Program Files\Kingsoft

The vulnerability targeted lies in the Doc.media.newPlayer Javascript method (CVE-2009-4324).

Execution

The executable file embedded in the PDF will be dropped to:

  • %temp%\AdobeUpdate.exe

The dropped file will then be executed and will attempt to download additional files on to the system.

We detect the drooped file as Trojan-Downloader:W32/Agent.MRL.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More