Author Topic: AVG says it was a PDF exploit  (Read 3197 times)

0 Members and 1 Guest are viewing this topic.

July 09, 2009, 07:22:11 pm
Read 3197 times

tom_

  • Newbie

  • Offline
  • *

  • 5
http://esli.tw/1/pdf.php

Can't tell what this one did.  It removed "View" from the browser menu bar (IE 7) so I couldn't ask to view source.

And from the same folks that brought you that one there was

http://metromasschoir.org/systems.html

which I did not click, having wasted half a day already undoing the first and warning everyone else on two Yahoo groups to avoid them.  I also set my firewall (Sygate) to block 91.212.65.0 - 91.212.65.255 hereafter.

If anyone knows what damage the first one accomplished between acquisition and removal, please reply.  Especially if you think there are additional steps I should be taking, e.g., changing dozens of passwords, etc.


July 09, 2009, 07:49:11 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
the payload of this

pdf exploit
http://wepawet.cs.ucsb.edu/view.php?hash=46e9aed463da40f4046b5c763c5b8593&t=1247168793&type=js

is detected a password stealing trojan. Anubis report shows installation of a browser helper object.

payload url is
Code: [Select]
esli.tw/1/getexe.php
http://www.virustotal.com/analisis/1fb49013edfaef4f52125be63b9e27c422bbdec83c085fe049c6c501d1d49475-1247168813 3/41
Ruining the bad guy's day