Malware Sent via PDF Attachment

A new attack has been detected that attempts to spread data-stealing malicious code via an email with the subject “setting for your mailbox are changed.” Users should not open this email or the attachment. The email includes an infected PDF attachment called “doc.pdf,” which, when opened, runs a set of scripts and executables on the recipient’s computer that infect or spoof various Windows programs and services. The methods used do not require JavaScript in order to execute. Once infected, the machine will then periodically contact malicious Web locations to download and update itself with any of the latest malicious and data-stealing viruses.

If you have IndigoGUARD you are protected.

If you do not have IndigoGUARD please contact BWS Technologies.

What does it do? The primary vulnerability involved is related to the “/Launch” functionality that is implemented in all major PDF viewers, such as Adobe Reader, Web browsers, and FoxIt Reader. The /Launch action does not require JavaScript to be enabled, so disabling JavaScript or other active content does not address the vulnerability. Currently, this vulnerability is being used as part of an attack that spreads via an email that may include descriptive verbiage such as the following:

Subject: setting for your mailbox are changed
Attached: doc.pdf
SMTP and POP3 servers for mailbox are changed.
Please carefully read the attached instructions before updating settings.

When the attached document is opened, the recipient’s PDF viewer will execute the /Launch command included in the document parameters. This will, in turn, pass echo statements to cmd.exe to create a vbscript file called “script.vbs”, which will then extract a second script called “batscript.vbs”, and then finally use that to create and run a Trojan executable called “game.exe.” Game.exe attaches itself to Windows Explorer and creates a new schost.exe service in order to hide itself and to ensure that it is always running.
Three seconds after installation, the original script file cleans up the remaining evidence by deleting the scripts and executable files created during infection. The new svchost.exe process will then periodically contact three domains over HTTP:,, and, in order to download new code or instructions, or upload stolen data.

According to NitroSecurity’s SIEM Blog, some of the major antivirus products from vendors such as Avast, AVG, Symantec, McAfee, eTrust, and Trend Micro currently have signatures available to detect the file attachment as malicious; however, few of the remaining top 40 antivirus products are able to detect any of the files associated with this attack. Gladiator recommends that users do not open any emails or attachments like the ones described above and should always exercise caution regarding any suspicious or unsolicited email received.

via Gladiator Research and Security

  • 04/30/2010
  • IT