Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

EXPL_PIDIEF.C

Malware type: Exploit

Aliases: Exploit.Win32.PDF-URI.k (Kaspersky), Exploit-PDF (McAfee), Trojan.Pidief.A (Symantec), EXP/PDF.URI.Gen (Avira), Exploit:Win32/RdrJmp.A (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Infection Channel 1 : Spammed via email


Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

EXPL_PIDIEF.C Behavior Diagram

Malware Overview

This is the Trend Micro detection for an exploit code that takes advantage of the PDF Mailto vulnerability in Adobe Acrobat and Adobe Reader 8.1. The said vulnerability allows an arbitrary code to execute on an affected system.

For more information regarding the abovementioned vulnerability, refer to the following Web page:

This exploit code arrives as an attachment to email messages spammed by another malware or a malicious user.

Once it successfully takes advantage of the said vulnerability, this exploit code connects to a certain FTP site to download and execute a malicious file detected by Trend Micro as TROJ_HARNIG.CU. As a result, routines of the downloaded Trojan are exhibited on the affected system.

In Windows XP, it also executes a command line instruction to disable the Windows Firewall.

For additional information about this threat, see:

Description created: Oct. 26, 2007 9:20:44 PM GMT -0800


TECHNICAL DETAILS


File type: PDF

Size of malware: 3,876 Bytes

Initial samples received on: Oct 26, 2007

Payload 1: Downloads files

Payload 2: Disables firewall

Details:

This is the Trend Micro detection for an exploit code that takes advantage of the PDF Mailto vulnerability in Adobe Acrobat and Adobe Reader 8.1. The said vulnerability allows an arbitrary code to execute on an affected system.

For more information regarding the abovementioned vulnerability, refer to the following Web page:

This exploit code arrives as an attachment to email messages spammed by another malware or a malicious user.

Once it successfully takes advantage of the said vulnerability, this exploit code connects to the following FTP site to download and execute a malicious file detected by Trend Micro as TROJ_HARNIG.CU:

  • ftp://{BLOCKED}.{BLOCKED}.69.116/ms32.exe

As a result, routines of the downloaded Trojan are exhibited on the affected system.

In Windows XP, it also executes a command line instruction to disable the Windows Firewall.

This exploit runs on Windows 98, ME, NT, 2000, XP, and Server 2003 where Adobe Acrobat and Adobe Reader 8.1 is installed.


SOLUTION


Minimum scan engine version needed: 8.300

Pattern file needed: 4.799.00

Pattern release date: Oct 26, 2007


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

Scan your computer with Trend Micro antivirus and delete files detected as EXPL_PIDIEF.C and TROJ_HARNIG.CU. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

Applying Patch

This malware exploits a known vulnerability in Adobe Acrobat and Adobe Reader 8.1. Download and install the fix patch supplied by the Adobe. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.

Featured Stories

Connect with us on