Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Spyware Threats

March 25th, 2010, 16:28 GMT · By

Trojan Masquerades as Adobe Reader Updater

SHARE:

Adjust text size:


Malware masquerades as update components of popular software
Enlarge picture
Security researchers from Vietnamese security vendor Bach Khoa Internetwork Security (BKIS) have identified a computer trojan, which copies itself over the update components of popular software. So far, Adobe Reader and Java Runtime have been targeted.

The malware, which Bkis has named the W32.Fakeupver.trojan, is written in Visual Basic and uses the technique to fool even experienced users. Malicious Trojans that employ file names similar or identical to known components in order to hide their process and startup routine are not new.

However, this trojan also imitates the icons and versions of the targeted programs. For example, checking the version information on the fake AdobeUpdater.exe file will show the developer as being Adobe Systems Incorporated and a "Copyright (c) 2002 – 2010 by Adobe Systems Inc" notice will also be displayed.

Version information of fake AdobeUpdater.exe
Enlarge picture
Furthermore, the researchers point out that the malicious executable is overwriting the original file, thus breaking legit functionality and making it harder to detect. "Ordinary users, sometimes even virus researchers themselves, are easily ‘fooled’ and skip such malware without raising an eyebrow," said Nguyen Minh Duc, senior security researcher and security director at BKIS.

The trojan creates a registry entry called Adobe Update Manager under HKLM\Software\Microsoft\Windows\CurrentVersion\Run pointing to where the legit AdobeUpdater.exe should normally reside. Otherwise, a file named AdobeUpdater.exe appearing in a process or startup listings with a different path would look very suspicious.

After infecting a computer, the trojan starts several services if they are not already running, including DHCP client, DNS client and network share. It also opens a special port in order to listen for commands from the hackers.

Adobe is not the only company whose products are targeted by this threat. The update component from Oracle's newly acquired Java Runtime Environment is also masqueraded and deleted. BKIS has seen a variant of this trojan using the "C:\Program Files\Java\jre6\bin\jucheck.exe" path and file name.
FILED UNDER:

TAGS:

 AdobeUpdater.exe | jucheck.exe | Adobe Reader Updater | malware | W32.Fakeupver trojan

TELL US WHAT YOU THINK:

23,078 hits · 6 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Fake Antivirus Distributed Through Skype Spam

Click Fraud Malware Hides as Firefox Extens...

New Chinese Social Networking Worm Discovered

FakeAV Variant Imitates Malicious Software ...

Revamped MBR Rootkit Impresses Security Res...

READER COMMENTS:


Comment #1 by: Seb on 26 Mar 2010, 09:54 GMT reply to this comment

I also read that new on clubic, a french web site.

I've asked more info to google, but have not found any info about how to remove it yet.

So, how could I do this?


Comment #2 by: Migu on 15 Apr 2010, 16:27 GMT reply to this comment

Having the same problem now. Damn Adobe reader updater is ruining system! I,m running Antivirus scan, but so far haven't seen any results. Really hope somebody knows how to get rid of it.


Comment #3 by: ATC on 30 Nov 2010, 15:49 GMT reply to this comment

Happened yesterday, on a clean install os job, as a customer service we install the most current version of Adobe flash, shockwave and reader. Attached to the adobe reader was the Genetik trojan. Called Adobe to inform them and some nuckle head told me I had to pay $9.95 to receive support in my problem, then hung up on me. Lovely.


Comment #4 by: Don on 16 Feb 2011, 18:59 GMT reply to this comment

I recently turned the computer on and instantly an Adobe Update appeared. Something just didn't appear right so I closed it and went to Adobe and checked for new updates for my computer and none were needed. Therefore, I think I avoided a virus or Trojan. If this happens close the screen and open Adobe and go to Help then look for updates. Hope this helps someone. I've been caught before and am now very cautious.
Don


Comment #5 by: don on 23 Feb 2011, 23:10 GMT reply to this comment

Don't, repeat, Don't ever click on a popup the downloading. X out of it and to to the subject website and see if there are really updates and download only from the ones you made the contact. With adobe x out of it and go to adobe click on tools and scroll down to downloads, doubtfully you will find new downloads. I learnd the hard way so I never, never download from popup no mater how how realistic they look. Good Luck , Don


Comment #6 by: MikeCrew on 20 Apr 2011, 16:34 GMT reply to this comment

Adobe, Microsoft and others never realized they would have to become security companies to protect their marketshare. The future in IT is much more volatile with the onslaught of malware writers proliferating at an exponential rate.

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use