Virus:EXP/CVE-5020.A
Date discovered:23/10/2007
Type:Exploit
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:3.850 Bytes
MD5 checksum:8ea902b3b52e022ad5496be996aa2065
IVDF version:7.0.0.125

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: Exploit-PDF
   •  Eset: PDF/Exploit.Shell.A trojan


Platforms / OS:
   • Windows XP


Side effects:
   • Disable security applications
   • Downloads a malicious file
   • Makes use of software vulnerability

 Files The following file is created:

– Non malicious file:
   • %current directory%\1




It tries to download a file:

– The location is the following:
   • ftp://anonymous:%current username%@%computer name%@**********/ldr.exe
It is saved on the local hard drive under: %current directory%\ldr.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Drop.LdPinch.dvx

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


Email design:
Attachments:
   • BILL.PDF
   • YOUR_BILL.PDF
   • INVOICE.PDF
   • STATEMENT.PDF

 Network Infection Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

Description inserted by Lutz Koch on Tuesday, October 23, 2007
Description updated by Lutz Koch on Wednesday, October 24, 2007

Back . . . .