TROJ_PDFJSC.PI
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Trojan executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
This Trojan takes advantage of software vulnerabilities to allow a remote user or malware/grayware/spyware to download files.
TECHNICAL DETAILS
Varies
No
03 Sep 2010
Download Routine
This Trojan takes advantage of the following software vulnerabilities to allow a remote user or malware/grayware/spyware to download files:
- Stack-based buffer overflow in CoolType.dll in certain versions of Adobe Reader and Acrobat
- Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability
Other Details
More information on this vulnerability can be found below:
It does the following:
- After successfully exploiting the said vulnerability, this malware drops any of the following files:
- %User Temp%\alg.exe - detected as BKDR_SCROG.OK
- %User Temp%\ico.exe - detected as TROJ_DROPPR.AS
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
NOTES:
This Trojan executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
SOLUTION
8.900
7.434.01
03 Sep 2010
7.435.00
03 Sep 2010
Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by TROJ_PDFJSC.PI