Troj/PDFEx-DF: SophosLabs sees malware exploiting /Launch

Filed Under: Malware, SophosLabs

Last week, I talked about how to disable some functionality in Adobe Acrobat (see blog).

This morning, we released generic detection for something we call Sus/PDFJs-S. Sophos will generically detect PDF files which use this functionality to run executables.This afternoon, I have just written detection for the first malicious PDF using this technique (Troj/PDFEx-DF).

When you open a file with Troj/PDFEx-DF you will be presented with the following:

If you were to ignore the obvious spelling mistake Troj/PDFEx-DF would drop and execute:

c:\windows\system32\ActiveX.exe

Which will be detected as Troj/Agent-MYJ.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s