Friday, January 30, 2009

More on the browser hijack

I ran Symantec Endpoint on it again this morning and it finally identified what this was. They call it a Bloodhound.PDF.3 which was discovered and added to their definitions on Dec 18. Symantec calls the infection rate low 0-2 sites, but based on the comments I've had here it's higher than that. I submitted the zipped up acr442b.tmp file to them. It was definitely the infection vector because it went through that old Reader 7.1. Lesson: update your Adobe Acrobat Reader.

Also, to all those following my analysis, please be careful when messing around with svchost.exe because there is a real one and a fake one. The real one lives in system32 and the fake one lives in system32\drivers. This is especially important when you are going through the registry. There are references to the real one and references to the fake one, so BE CAREFUL.

Thank you all for your great comments.

1 comment:

Anonymous said...

You're definately on the right track. When I started getting the popups to run/install whatever anti-virus scanner redirect and my system started to shut down, I brought up Process Explorer (replacing Task Manager) and discovered that "AcroRd32.exe" was taking up several hundred megs of memory. I terminated the process, but the shutdown was already in progress.

I hadn't launched Acrobat during the entire day's computing session, so you're right on the money with your supposition that it was an Acrobat trojan.

Thanks again for your work!