SWF/CVE-2007-0071!exploit is a generic detection for specially crafted Shockwave Flash files capable of exploiting a vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier. This does not necessarily mean that a virus has been found. It merely means that code was found which could attempt to run additional executable code without the user's express permission.
This vulnerability, referenced in CVE-2007-0071, may allow a malicious user to execute arbitrary code via a crafted .SWF file. When a malicious .SWF file successfully plays on a system and exploits this vulnerability, it may download other malicious files.
SWF/CVE-2007-0071!exploit may contact one of the domains below to download malicious files:
down.nihao69.cn
user1.12-27.net
222.122.157.120
www.1817520.cn
xnibi.com
fccja.com
218.38.28.68
zjsr f.gov.cn
www.0x4f.cn
It then saves the downloaded file to %Profile%\Local Settings\Temp\ORZ.EXE then executes it.
Note: %Profile% is a variable location and refers to the user's profile folder. The malware determines the location of the current Profile folder by querying the operating system. A typical location for this folder is C:\Documents and Settings\<username>.
At the time of publication variants of the following families were downloaded:
Win32/Dowque
Win32/Flsme
Win32/Drondog
Win32/Shenhack
Win32/Gamepass