Trojan.Downloader.JS.NN
SYMPTOMS: No obvious symptoms.TECHNICAL DESCRIPTION: This malicious JavaScript may come bundled inside a PDF document.
When an infected PDF is opened, the JavaScript will get executed and will perform the following actions: It will then place several NOP (No OPeration) instructions at the begging of the code, in order to avoid receiving execution at an invalid address. The exploit code (~450 B) will first decrypt its encrypted body, locate several API functions it needs and then it will download a file from http://netcorb[removed]/load.php, saving it under the name "~.exe", in the current folder. After a successful download, it will launch the file. The downloaded executable may be subject to change, and at the time of writing, the link was dead. The detection name stands for the infected PDF file and infected JavaScripts. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Lutas Andrei Vlad, virus researcher |
