Exploit-PDF.a is an exploit worm for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer. This exploit is known as CVE-2007-5020.
More information regarding this vulnerability can be found at the Adobe site.
Indication of Infection
The following list of malicious attachment have been observed in the wild:
Methods of Infection
On opening the PDF attachment, code is silently run to perform the following actions, and Windows Firewall is disabled via the netsh command. It then downloads and executes a password stealer from this web address (now removed):
This password stealer trojan is detected as Spy-Agent.bg.
- EXP/CVE-5020.A (Avira)
- EXPL_PIDIEF.B (Trend Micro)
- Exploit-PDF.a and Exploit.Win32.AdobeReader.b (Kaspersky)
- PDF/Exploit.Shell.A (ESET)
- Trojan.Pidief.A (Symantec)