A malicious file has been detected (PDF_Shellcode_Detected)

About this signature or vulnerability

BlackICE PC Protection, BlackICE Server Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:

This signature detects well known shellcode payloads within Adobe Portable Document Format (PDF) files.


False negatives

BlackICE PC Protection, BlackICE Server Protection, IBM Security Server Protection for Windows: The content.shellcode.scan.limit tuning parameter limits the amount of the transfer checked. If shellcode appears beyond this point in the transfer, this signature will not detect it. The pam.content.shellcode.scan.limit tuning parameter limits the amount of the transfer checked. If shellcode appears beyond this point in the transfer, this signature will not detect it.

Default risk level

High risk vulnerability  High

Sensors that have this signature

BlackICE PC Protection: 3.6cqv, BlackICE Server Protection: 3.6.cqv, RealSecure Server Sensor: XPU 28.020, RealSecure Network: XPU 28.020, Proventia Network IDS: XPU 28.020, Proventia-G 1.1 and earlier: XPU 28.020, Proventia Network MFS: XPU 28.020, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.2160, IBM Security Server Protection for Windows: 2.0.252.2160, Proventia Desktop: 2160, Proventia Network IPS: XPU 28.020, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.020

Systems affected

IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X

Type

Unauthorized Access Attempt

Vulnerability description

An exploit has been detected in a file.

How to remove this vulnerability

No remedy currently available. If the file has not been opened, do not open it.

References

ISS X-Force
A malicious file has been detected
http://www.iss.net/security_center/static/27657.php