NEWS FROM THE LAB - Monday, May 25, 2009

H1N1 Themed Targeted Attack Posted by Response @ 13:02 GMT

The H1N1, formerly known as swine, flu continues to make headlines… though the trends peaked earlier this month.

And while there hasn't been widespread use of H1N1 themes for malicious attacks, we have seen some limited use. Here's something that our honeypots collected last week.

It's a malicious PDF file (that's nothing new).

When the PDF is opened, it exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu.

Here's a screenshot.


What happens behind the scenes? The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder.

The malicious file connects to three IP addresses in order to "call home". These addresses are, or were, in Texas (, Budapest ( and Hyderabad (

The individuals targeted by this attack are unknown to us.