Removal Instructions

If your computer has not been protected with anti-virus software and has been infected with malware, you will need to take the following actions to delete this:

  1. Delete the original exploit file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the following files:

  3. Clear the Temporary Internet Files directory containing the infected files (How to delete infected files in the Temporary Internet Files folder?):
    %Temporary Internet Files%

  4. Update Adobe Reader and Acrobat or install updates:
  5. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).

MD5: e8c8732c3de6e8617747bc229fca14ea
SHA1: a0fd602797945304e649eaf8edf9a7b4655f2996


The malicious PDF document contains a compressed data stream which, after opening the document, is unpacked as an XFA form. The trojan uses the vulnerability that arises on account of overfilling the buffer when incorrectly processing arguments in "libtiff.dll" (CVE-2010-0188) to download a file which is located at the following link:


The trojan then saves the file in the working directory under the following name:

After successfully saving the file, the infected file is then launched for execution. The link did not work when creating the description. The trojan also creates a binary file with a malicious shell code in the working directory:

The file is given the attribute "Hidden". Vulnerable products include Adobe Reader and Acrobat 8 (up to version 8.2.1) and 9 (up to version 9.3.1).

Technical Details

An exploit that uses vulnerabilities in the products Adobe – Reader and Acrobat for its implementation on the user's computer. The file is a PDF document containing an XFA (XML Forms Architecture) form that stores a malicious shell code. 2655 bytes.