When “doc” stands for “don’t open contents”
Brian Ross, one of our Sunbelt malware removal specialists found this little gem – a malicious file that arrives as an attachment in spam and takes advantage of the newly-discovered launch vulnerability in .PDF files.
It uses a script in a PDF file to install a back door that starts up whenever Internet Explorer is launched. The infected svchost.exe file that it drops has been around for a while, but using a malicious PDF file to drop it is the interesting new twist. We’ve seen other reports of similar malware out there today.
It’s detected by VIPRE as Expoit.PDF.LaunchExe.
The malicious attachment looks innocuous enough.
Named “doc.pdf,” it displays a popup when opened asking if you would like to launch an external file. Choosing “Do Not Open” opens the pdf doc. If you choose “Open” several cmd windows display quickly so you can’t see the text they carry.
If you choose “Do not Open,” you can see that there is text above the viewable text in the popup window:
The script loads the PDF document as a text file, looking for strings within that text, dumping it into other VBS files and executing them.
The script appears to create an array, write data to a file named “game.exe” and run it as another vbscript. The result is an entry in the registry that will launch the bogus svchost.exe in “c:program filesmicrosoft common” whenever explorer.exe is started.
Prior to the PDF document being open, neither “C:Program FilesMicrosoft Common” nor “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe” existed. These items were added following execution of the PDF doc. Details below:
The registry before the threat installs:
And after:
Registry export of the infected key is below:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe]
“Debugger”=”C:\Program Files\Microsoft Common\svchost.exe”
[bottom line] don’t click on attachments in spam. [/bottom line]
Thanks Brian.
Tom Kelchner