We received a new sample in the lab today of a file that claims to be from “Adobe Systems Incorporated” according to the version information and bills itself as “Adobe Updater”. When executed, it became clear that this file is malware.
The interesting part is that the file has a digital signature apparently from Adobe Systems Inc. Take a look at this screenshot:
The screenshot is what you see if you right-click on the file and select the Digital Signatures tab on the Properties page. Most users wouldn’t even do this, but if you do it appears that the file is in fact digitally signed by Adobe. Now take a look what happens when you click the Details button:
You can now see that the digital signature is not valid. But take a look at the “Countersignatures” pane in the bottom half of the window. It appears that the file is counter-signed by VeriSign Time Stamping Services. This is an additional level of deception employed by the malware creator, and is something that could potentially fool even experienced users into thinking that the file has been signed with VeriSign as a counter signer.
When executed, the malware copies itself to the Startup folder and then connects to the Internet. It is a trojan clicker intended to make money for its creator. As of 2010-11-10 the only other program to detect it other than TrojanHunter is Dr Web. TrojanHunter detects this malware as FakeAdobe.100.
