It has been observed that a Malware Trojan named Pidief is circulating widely exploiting Remote code Execution vulnerability in Adobe Acrobat PDF File described in CIVN-2007-128 .
The Trojan comes as a PDF attachment in spammed e-mails with subject lines enticing innocent users into opening the malicious file and executing the malware on their systems.
Aliases : : EXPL_PIDIEF.B [FrSirt], Trojan.Pidief.A [Symantec], EXPL_PIDIEF.B [Trend Micro], Exploit.Win32.AdobeReader.b [Kaspersky]
The e-mail contains the following :
Subject : (any of the following)
- Your credit report
- Your credit points
- Your balance report
- Personal Financial Statement
- Personal Credit Points
Attachments: (any of the following)
- report.pdf
- debt.2007.pdf
- overdraft.2007.10.26.pdf
Upon execution, the Trojan :
- disables Windows firewall by issuing the following command:
netsh firewall set opmode mode=DISABLE - downloads malicious files from different location.
- the above said downloaded threat is saved to the following locations
%CurrentFolder%\
In view of rapid propagation of the PDF Malware, users are advised to implement the following countermeasures:
- Disable the "mailto:" option in Acrobat, Acrobat 3D 8 and Adobe Reader in the Windows registry
- Apply appropriate patches on vulnerable Adobe Systems as mentioned in Cert-In Vulnerability Note CIVN-2007-128.
- Delete emails with the above mentioned Subject lines and attachments.
- Avoid opening of PDF files through the web browser. Instead save the file to disk before opening.
- Install and maintain a updated anti-virus software at gateway and desktop level.
- Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
References
http://www.symantec.com/business/security_response/writeup.jsp
?docid=2007-102310-3513-99&tabid=1
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k
=139103
http://www.f-secure.com/weblog/archives/00001303.html
The information provided herein is on "as is" basis, without warranty of any kind.
