Exploit:W32/Pidief.CPT

Classification

Malware

Exploit

W32

Exploit.SWF.J

Summary

A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Exploit:W32/Pidief.CPT is a maliciously-crafted PDF file that exploits a known vulnerability (CVE-2010-1297) in certain versions of Adobe Acrobat Reader.

If successfully exploited, the malware may be able to forward system information to a remote server for further mischief. At time of analysis however, the URL used for the connection was down.

This PDF file may be distributed via a targeted email; alternatively, it may be hosted on a malicious site. F-Secure Exploit Shield is able to block this exploit.

More information about the targeted vulnerability is available at: http://www.adobe.com/support/security/advisories/apsa10-01.html.

Execution

Upon execution, the PDF file runs a JavaScript code. The JavaScript containing a short shellcode that searches for the following tag from the PDF file itself:

  • 'F.Zh'

Once found, the malware decrypts the data located after the tag. In the sample analyzed, the data is actually two components:

  • A dropped EXE file identified as Trojan:W32/Agent.DJOG
  • A dropped DLL file identified as Trojan:W32/Agent.DJOF

The malware then saves the decrypted data to the following location:

  • C:\-.exe

The decrypted executable seems to be a downloader that drops a small .DLL component to the system32\ and system32\dllcache folders. The dropped component uses the filename 'qmgr.dll'; the original original 'qmgr.dll' is renamed to 'kernel64.dll'.

The malware then creates a file to C:\Windows\ folder with the filename, 'Eventsystem.dll'. This is a copy of the DLL file.

Finally, the malware creates a file named 'es.ini' to Windows\system32 folder, containing the following information:

  • [qmgrConfig] ServerAddress=http://210.211.31.214/[removed]/ddrh.ashx SleepTime=1000 Guid=00000000-0000-0000-0000-000000000000

Note

The PDF file also contained a Flash file, which didn't appear to do anything.

Date Created: -

Date Last Modified: -