Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:EXP/Pidief.bvd
Date discovered:28/04/2010
Type:Exploit
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:~ 250.000 Bytes
IVDF version:7.10.06.228 - Wednesday, April 28, 2010

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: Trojan.Pidief
   •  Kaspersky: Exploit.Win32.Pidief.dcd
   •  TrendMicro: TROJ_PIDIEF.ZAC
   •  F-Secure: Exploit:W32/AdobeReader.WM
   •  Sophos: Troj/PDFEx-DF


Side effects:
   • Drops malicious files

 Files The following files are created:

Non malicious file:
   • C:\%malware execution directory%\script.vbs

C:\%malware execution directory%\batscript.vbs Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: EXP/Pidief.blo

C:\%malware execution directory%\game.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Bezopi.A

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
The following:
   • setting for your mailbox are changed



Body:
The body of the email is the following:
   • SMTP and POP3 server for %random character string% mailbox are changed. Please carefully read the attached instructions before updating settings.


Attachment:
The filename of the attachment is:
   • doc.pdf

The attachment is a copy of the malware itself.

Description inserted by Thomas Wegele on Wednesday, April 28, 2010
Description updated by Thomas Wegele on Wednesday, April 28, 2010

Back . . . .