One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.
The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:
- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf
The emails are using the following subject lines (note the misspellings):
- INVOICE alacrity
- INVOICE depredate
If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe.
Hackers abuse flaw in PDF files to spread viruses
Posted on Thursday, October 25 2007 @ 10:01 CEST by Thomas De Maesschalck