Threat Descriptions

Exploit:W32/Pidief.CPT

Classification

Category :

Malware

Type :

Exploit

Platform :

W32

Aliases :

Exploit.SWF.J

Summary

A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Exploit:W32/Pidief.CPT is a maliciously-crafted PDF file that exploits a known vulnerability (CVE-2010-1297) in certain versions of Adobe Acrobat Reader.

If successfully exploited, the malware may be able to forward system information to a remote server for further mischief. At time of analysis however, the URL used for the connection was down.

This PDF file may be distributed via a targeted email; alternatively, it may be hosted on a malicious site. F-Secure Exploit Shield is able to block this exploit.

More information about the targeted vulnerability is available at: http://www.adobe.com/support/security/advisories/apsa10-01.html.

Execution

Upon execution, the PDF file runs a JavaScript code. The JavaScript containing a short shellcode that searches for the following tag from the PDF file itself:

  • 'F.Zh'

Once found, the malware decrypts the data located after the tag. In the sample analyzed, the data is actually two components:

  • A dropped EXE file identified as Trojan:W32/Agent.DJOG
  • A dropped DLL file identified as Trojan:W32/Agent.DJOF

The malware then saves the decrypted data to the following location:

  • C:\-.exe

The decrypted executable seems to be a downloader that drops a small .DLL component to the system32\ and system32\dllcache folders. The dropped component uses the filename 'qmgr.dll'; the original original 'qmgr.dll' is renamed to 'kernel64.dll'.

The malware then creates a file to C:\Windows\ folder with the filename, 'Eventsystem.dll'. This is a copy of the DLL file.

Finally, the malware creates a file named 'es.ini' to Windows\system32 folder, containing the following information:

  • [qmgrConfig] ServerAddress=http://210.211.31.214/[removed]/ddrh.ashx SleepTime=1000 Guid=00000000-0000-0000-0000-000000000000

Note

The PDF file also contained a Flash file, which didn't appear to do anything.