This application requires Javascript for optimal performance.

PDF/Pidief.BV!exploit - Released Apr 27, 2010 - Last Updated Apr 28, 2010

Alias/es

Troj/PDFEx-DF (Sophos), PDF/Pidief.BV (FProt), Trojan.Pidief (Symantec)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

CVE

2010-1240

Visible Symptoms


  • The following file exists:

    • %Program Files%\Microsoft Common\svchost.exe

  • The system is also infected with VBS/Agent.DJBN!tr and W32/Agent.DJBN!tr.

Detailed Analysis



PDF/Pidief.BV!exploit is the detection for a PDF file that exploits the Launch File Warning Dialog Vulnerability in Adobe Reader. A successful exploit results in a Windows 32 executable file being created and executed in the system.


Technical Details



This malware may be received as an attachment from a SPAM email. The email may have the following format:

  • From: [Name]@[Mail Server]

    [Name] varies. Examples are the following:

    • system
    • alert

    [Mail Server] is the mail server name of the email address being spammed.

  • To: [Email Address]

    [Email Address] is the email address being spammed.

  • Subject: "setting for your mailbox are changed"

  • Body:

    "SMTP and POP3 servers for [Email Address] mailbox are changed. Please carefully read the attached instructions before updating settings."

  • Attachment: doc.pdf

Opening the PDF file with Adobe Reader results in the Launch File  dialog box with a modified message to be displayed:



Figure 1: Launch File dialog box.


The message is intended to trick the user into launching the Win32 executable program that is embedded in the PDF file.

Clicking the "Open" button results in the file cmd.exe  to be launched with parameters that create a VBScript file named script.vbs. This VBScript can be detected as VBS/Agent.DJBN!tr. When executed, it reads the doc.pdf  file to extract more VBScript codes and saves them into the file batscript.vbs. The parameters of cmd.exe  also include the command to execute these two VBScript files.

The file batscript.vbs  is also detected as VBS/Agent.DJBN!tr. When executed, it drops a Win32 executable program named game.exe.

The Win32 executable program is detected as W32/Agent.DJBN!tr.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1782054