Threat Description

Exploit:​W32/Pidief.CPT

Details

Aliases:Exploit.SWF.J
Category:Malware
Type:Exploit
Platform:W32

Summary



A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Exploit:W32/Pidief.CPT is a maliciously-crafted PDF file that exploits a known vulnerability (CVE-2010-1297) in certain versions of Adobe Acrobat Reader.

If successfully exploited, the malware may be able to forward system information to a remote server for further mischief. At time of analysis however, the URL used for the connection was down.

This PDF file may be distributed via a targeted e-mail; alternatively, it may be hosted on a malicious site. F-Secure Exploit Shield is able to block this exploit.

More information about the targeted vulnerability is available at: http://www.adobe.com/support/security/advisories/apsa10-01.html.

Execution

Upon execution, the PDF file runs a JavaScript code. The JavaScript containing a short shellcode that searches for the following tag from the PDF file itself:

  • 'F.Zh'

Once found, the malware decrypts the data located after the tag. In the sample analyzed, the data is actually two components:

  • A dropped EXE file identified as Trojan:W32/Agent.DJOG
  • A dropped DLL file identified as Trojan:W32/Agent.DJOF

The malware then saves the decrypted data to the following location:

  • C:\-.exe

The decrypted executable seems to be a downloader that drops a small .DLL component to the system32\ and system32\dllcache folders. The dropped component uses the filename 'qmgr.dll'; the original original 'qmgr.dll' is renamed to 'kernel64.dll'.

The malware then creates a file to C:\Windows\ folder with the filename, 'Eventsystem.dll'. This is a copy of the DLL file.

Finally, the malware creates a file named 'es.ini' to Windows\system32 folder, containing the following information:

  • [qmgrConfig] ServerAddress=http://210.211.31.214/[removed]/ddrh.ashx SleepTime=1000 Guid=00000000-0000-0000-0000-000000000000

Note

The PDF file also contained a Flash file, which didn't appear to do anything.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More