If you go to fileden.com right now, the site will try to push a browser
add-on at you, as well as the file "manual.pdf".

I uploaded it to VT, where it's being detected only by Avast5 and Gdata
as JS:Pdfka-gen.

Virus Guy wrote:

> If you go to fileden.com right now, the site will try to push a
> browser add-on at you, as well as the file "manual.pdf".
>
> I uploaded it to VT, where it's being detected only by Avast5
> and Gdata as JS:Pdfka-gen.

Here is a direct link for that file:

hxxp://z3co.co.cc/games/pdf.php?f=17

From: "Virus Guy" <(E-Mail Removed)>

| If you go to fileden.com right now, the site will try to push a browser
| add-on at you, as well as the file "manual.pdf".

| I uploaded it to VT, where it's being detected only by Avast5 and Gdata
| as JS:Pdfka-gen.

fileden.com isn't doing anything for me.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

"David H. Lipman" wrote:
>
> From: "Virus Guy" <(E-Mail Removed)>
>
> | If you go to fileden.com right now, the site will try to push
> | a browser add-on at you, as well as the file "manual.pdf".
>
> fileden.com isn't doing anything for me.

Yea, I just checked (11:45 pm) and it's clean now.

But the file is still available from here:

z3co.co.cc/games/pdf.php?f=17

Ant wrote:

> > But the file is still available from here:
> >
> > z3co.co.cc/games/pdf.php?f=17
>
> Five PDF exploits:
>
> Collab.collectEmailInfo
> Collab.getIcon
> media.newPlayer
> util.printd
> util.printf
>
> Shellcode downloads (URLDownloadToCacheFileA) and runs whatever
> executable this points to:
> z3co.co.cc/k.php?f=17&e=3
>
> which was 0 bytes when I tried, and the filename used to save it
> was invalid (not manual.pdf).

manual.pdf is the name you get from the link above - which is the same
even if you drop the "=17" part.

> Maybe it's geo-sensitive or just broken.

I also get a 0 length file from z3co.co.cc/k.php?f=17&e=3.