Home > Threat descriptions >

Exploit:W32/AdobeReader.UZ

Classification

Category: Malware

Type: Exploit

Aliases: Exploit.PDF-JS.Gen, Exploit.JS.Pdfka.atq

Summary


A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The detection Exploit:W32/AdobeReader.UZ identifies a malicious PDF document that attempts to exploit a known vulnerability in order to drop and run a malicious executable file on the system.

The exploit-code will not drop the executable if any of the following folders exist on the system:

  • C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009
  • C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009
  • C:\Program Files\Kingsoft

The vulnerability targeted lies in the Doc.media.newPlayer Javascript method (CVE-2009-4324).

Execution

The executable file embedded in the PDF will be dropped to:

  • %temp%\AdobeUpdate.exe

The dropped file will then be executed and will attempt to download additional files on to the system.

We detect the drooped file as Trojan-Downloader:W32/Agent.MRL.