Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » JS/Shellcode.X

Overview

Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload
Detection files published
Description created 21 Aug 2009 01:52:00
Description updated 21 Aug 2009 01:52:00
Malware type TROJAN
Alias Generic_c.EAS (AVG)
Exploit.Win32.PDF-URI.l (Kaspersky)
Troj/PDFex-A (Sophos)
Bloodhound.Exploit.163 (Symantec)
Spreading mechanism UNKNOWN
Summary asdfasfasf

JS/Shellcode.X

Spreading

PDF documents opened automatically by the Web browser from untrusted or unsolicited sources.

Payload Details

Uniform Resource Identifier (URI) is a string of characters that can be used to identify a location, resource, or protocol. The vulnerability is exploited when Windows incorrectly determine the appropriate handler for the protocol specified and relies having a "%" character in the URI.
External referenceshttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5020
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3896
http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
http://www.kb.cert.org/vuls/id/403150

Analysis

[ Detection Info ] * Filename: C:\Documents and Settings\norman\desktop\0ca56830.PDF * Sandbox name: * Compressed: NO. * Signature name: JS/Shellcode.X * TLS hooks: No. * Executable type: Application. * Executable file structure: * File type: PDF [ General information ] * File length: *Size : 4854 bytes. *Size on disk : 8192 bytes. [Network] * Attempts to download a file "system.com" from [REMOVED] through ftp.

Removal

The following workarounds will not prevent exploitation, but they can reduce potential attack vectors and make exploitation more difficult. 1. Prevent PDF documents from being opened automatically by the Web browser.The following steps can be followed: Run the installed Adobe Reader. Click on Edit in the menu bar Then click on Preferences in the drop down menu list.  Click on the Internet in the Category on the left pane.  Uncheck the check box for Display PDF in Browser. Click OK when done.  Restart the computer.2. Disable JavaScript. The following steps can be followed: Run the installed Adobe Reader. Click on Edit in the menu bar Then click on Preferences in the drop down menu list.  Click on the JavaScript in the Category on the left pane.  Uncheck the check box for Enable Adobe java script. Click OK when done.  Restart the computer.3. Disable PDF Shell extensionsDisable PDF Shell extensions by removing or renaming Acrord32info.exe file in the following location. C:\Program Files\Adobe\Reader \Reader\ Acrord32info.exe 4. Avoid opening files from untrusted or unsolicited sources.5. Deploy DEP (Data Execution Prevention). Right click My Computer. Click on Properties in the menu. Then click on Advanced tab. Click on the Settings in Performance. Then click on Data Execution Prevention tab. Select the option Turn on DEP for essential Windows programs and services only. Restart the computer.   


Last Updated: 12 Nov 2015 11:06:15