A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Exploit:W32/Pidief.CPT is a maliciously-crafted PDF file that exploits a known vulnerability (CVE-2010-1297) in certain versions of Adobe Acrobat Reader.
If successfully exploited, the malware may be able to forward system information to a remote server for further mischief. At time of analysis however, the URL used for the connection was down.
This PDF file may be distributed via a targeted email; alternatively, it may be hosted on a malicious site. F-Secure Exploit Shield is able to block this exploit.
More information about the targeted vulnerability is available at: http://www.adobe.com/support/security/advisories/apsa10-01.html.
Once found, the malware decrypts the data located after the tag. In the sample analyzed, the data is actually two components:
The malware then saves the decrypted data to the following location:
The decrypted executable seems to be a downloader that drops a small .DLL component to the system32\ and system32\dllcache folders. The dropped component uses the filename 'qmgr.dll'; the original original 'qmgr.dll' is renamed to 'kernel64.dll'.
The malware then creates a file to C:\Windows\ folder with the filename, 'Eventsystem.dll'. This is a copy of the DLL file.
Finally, the malware creates a file named 'es.ini' to Windows\system32 folder, containing the following information:
The PDF file also contained a Flash file, which didn't appear to do anything.