PDF Exploit Virus

[T_Dog]

Sophos anti virus for MAC finally caught a virus. My first clue was the screen turning purple after downloading and expanding a folder of .pdf documents that were a reference manual for some electronic equipment. Ran the clean up and hopefully things are good. Be on the look out for this.

http://wiki-threats.com/post/Remove-PDFExploit.PDF-URI.Z-Infection-to-Secure-PC-Security_7_10437.html

[schondie]

Yeah, many PDF docs are loaded with viruses. I check every one and only download from trusted sources.

[bubba]

The link you provided describes PDF/Exploit.PDF-URI.Z This appears to be a Windows only trojan and the fixes described in the article are all for Windows. Did Sophos identify it as PDF/Exploit.PDF-URI.Z ?

[DaveBKK]

These aren't really virus inside PDF files. They are Trojans... Actual programs that try to masquerade as a PDF. Like file.pdf.exe or some nonsense. If you are conscientious it's easy to identify.

[bubba]

And if the file extension is .exe then it is not something that will affect OSX

[partington]

And the link you provide, like many links concerning viruses. is an advertising link to entice you to download something. Quite often these programs, if they are free, are malware themselves and this antivirus scare is a way of getting you to download a worse virus or Trojan. Even if the program IS what it says it is, it's merely an elaborate advertising trick.

I'm not saying the virus doesn't exist (though it may not), merely that the best way to deal with it is not necessarily by following advertising copy, and this could lead you to download a far worse intrusion into your system.

It really annoys me now that almost all searches for methods on how to do anything on a computer comes up with a majority of advertising pages disguised to look like some info blog. They always have a tiny little stock photo of a face with a generic name (e.g. "Victoria Denby") above the article to make it look like it's a real human's blog, and it always tells you the method to solve your problem (e.g. converting one video type to another) is to buy some software, often, but not always, the one that the url contains the name of plus .com.

It's often easy to tell these are fake because apart from selling software, "Victoria Denby" often writes in weird almost Russian sounding English despite her generic western name, and misses out capital letters.

For example:

"How can i remove it from my computer? Is there any other effective removal tool i need to download?"

Gradually, you will find the perform speed of your machine run kind of slower than before,[...]

Furthermore, lots of malicious programs downloaded by PDF/Exploit.PDF-URI.Z are flood in your computer[...]

Based on what I have stated above, PDF/Exploit.PDF-URI.Z is to your computer, what a cancer to your body.

You need to take efficient measure as soon as possible to stop it now."

All these are from the dodgy ad page linked to in the above post, supposedly designed to help with this virus.

[partington]

To follow up: a little research shows that the link given is a known malware site https://www.herdprotect.com/domain-wiki-threats.com.aspx:

"wiki-threats.com

Private Registration
Domain Information
The domain wiki-threats.com registered by Private Registration was initially registered in August of 2015 through TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM. Currently this domain has been known to host various forms of malware. The hosted servers are located in Kansas City, Missouri within the United States.
Registrant:
Private Registration

Registrar:
TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM
Server location:
Missouri, United States (US)
Create date:
Sunday, August 09, 2015
Expires date:
Tuesday, August 09, 2016
Updated date:
Sunday, August 09, 2015
ASN:
AS32097 WII-KC - WholeSale Internet, Inc.,US
Whois:
1 wiki-threats.com record"

[Chicog]

These aren't really virus inside PDF files. They are Trojans... Actual programs that try to masquerade as a PDF. Like file.pdf.exe or some nonsense. If you are conscientious it's easy to identify.

Not true.

Most of the attempted infections I see are scripts embedded in PDF files.

It's really easy (and sensible) to just block anything executable, which is why a lot of malware is now delivered in application data files; Office documents are another major source of embedded malware.

[DaveBKK]

Most of the attempted infections I see are scripts embedded in PDF files.

Yeah ok it can run JavaScript (IF an older reader that auto-runs scripts) to either try and download or drop some executable into system files. This is pretty much completely mitigated on OSX if the reader is properly sandboxed (most are including Adobes and OSX built in Preview). Or if running latest version of "rootless" OSX which shouldn't allow any shenanigans with system files.