Exploit.JS.Pdfka.eeo

Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original exploit file (its location on the infected computer will depend on how the program got onto the computer).
  2. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%

  3. Update Adobe Reader and Acrobat or install updates:
    http://www.adobe.com/support/security/bulletins/apsb10-07.html
  4. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

Payload

The malicious XFA form content is initialized and launched after opening a specially created infected PDF document containing this form. As the "initialize" event handler in the XFA form, it uses obfuscated malicious Java Script. After removing the obfuscation, the trojan uses the vulnerability which arises on account of over-filling the buffer when incorrectly processing arguments in "libtiff.dll" (CVE-2010-0188) to download the malicious files. The malicious file is downloaded from different URLs, depending on the version of the exploit, for example:

http://ac***ro.cz.cc/k.php?f=16&e=6
http://ce***et5.cu.cc/d.php?f=360&e=6
http://cen***et4.cu.cc/d.php?f=360&e=6
http://ce***net6.cu.cc/d.php?f=360&e=6

The trojan then saves the downloaded file in the browser's temporary file directory:
%Temporary Internet Files%\<name of_temporary_file>

The name under which the file is saved may change depending on the version of the trojan.


After successfully saving the file, it is launched for execution.


The link did not work when creating the description. Vulnerable products include Adobe Reader and Acrobat 8 (up to version 8.2.1) and 9 (up to version 9.3.1).

Technical Details

An exploit that uses the vulnerabilities in Adobe – Reader and Acrobat products for its implementation on the user's computer. The file is an XFA (XML Forms Architecture) containing malicious Java Script. Depending on the version, it may be between 43257 and 44249 bytes.