My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Exploit.PDF-JS.Gen

MEDIUM
MEDIUM
variable
(Exploit:Win32/Pidief.D; Exploit:W32/AdobeReader.QQ)

Symptoms

     There are no obvious symptoms until the malware manages to infiltrate the system. This can happen when opening a crafted PDF file and the javascript code inside the file is executed.

Removal instructions:

Keep updated the sofware installed on your computer.

Please let BitDefender delete the infected files.

Analyzed By

Dana Stanut, virus researcher

Technical Description:

     This is a generic detection for specially crafted PDF files which exploit different vulnerabilities found in Adobe PDF Reader's Javascript engine in order to execute malicious code on user's computer. The exploitation mainly involves the following two functions:
     util.printf() - if an attacker sends a string long enough to generate a
                           stack-based buffer overflow he will then be able to
                           execute arbitrary code on user's computer with the
                           same level privileges as the user who opened the PDF
                           file
     Collab.colectEmailInfo() - a stack-based buffer overflow can be
                           caused by passing a string long enough (at least 44952
                           characters) as a parameter in the msg field of this
                           function. 

     The Javascript function containing the actual exploit is specified in the OpenAction tag of the PDF file. Usually this function is encoded using zlib. After decompression sometimes the script is still obscured through one or more layers of encoding in order to avoid detection and make analysis more difficult.
    The javascript code inside the PDF file is used to download and execute other malware on user's computer.