Exploit.JS.Pdfka.dna

From Total Malware Info

This exploit program uses vulnerabilities in Adobe Reader and Acrobat to execute itself on the user's computer. It is a PDF document containing XML Forms Architecture and Java Script. It is 26,393 bytes in size.

MD5: 66A58A3AAF2F7AAECA3D95AB86E0BA28

SHA1: 008112C3EE4F6FD21433027C7A3E4E9543B3BB46

Payload

Initialization and execution of the malicious payload is done on opening of an infected PDF document containing an XFA form. An obfuscated malicious Java Script is used as a handler of the “initialize” event in the XFA form. After removing of obfuscation, the malicious script exploits the CVE-2010-0188 vulnerability in Adobe Reader with a purpose to download the following file:

http://fi****ld.info/1TF19pd

This file is stored in the following location:

%Temp%\<rnd>.exe

here <rnd> – random Latin characters.

The malware then launches the downloaded file for execution. At the time of writing, these links were inactive. Adobe Reader and Acrobat 8 (up to version 8.2.1) and 9 (up to 9.3.1) are vulnerable to this exploit.

Removal Instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original exploit file (its location will depend on how the program originally penetrated the infected computer).

2. Delete the downloaded malicious file:

%Temp%\<rnd>.exe

3. Update Adobe Reader and Acrobat or install updates using the link:

http://www.adobe.com/support/security/bulletins/apsb10-07.html

4. Perform a full system scan with an antivirus with updated databases.