Sourabh Kadam contributed to this blog.
In the middle of 2012 McAfee Labs observed the complex malware XDocCrypt infecting documents, Excel workbooks, and executable files. Recently we have seen a similar infection method that attacks PDF, MSI (Windows installer), and executables, though the current malware is not as complex as XDocCrypt.
W32/PDFCrypt is not complex. The coding standards, propagation methods, stealth mechanism, and the payload binaries clearly indicate that this author is a novice.
W32/PDFCrypt adds selective parasitic capabilities to infect PDF, MSI, and executable files–the last named setup.exe (all lowercase)–as shown in the following screen capture, which names the file types that this malware can infect. Infections occur only through removable media and writable mapped network drives. We saw no infections on the local host. Nothing appeared to happen during the first 30 minutes, but then the malware started to work.
The hijacked original files are compressed using the APLIB compression library. Then the original file is replaced with the infected executable and the compressed data (original file) is added in resource data directory “RT_DATA 2AF8”.
Though coded to infect PDF, MSI, and setup.exe files, we saw active infections only on PDFs. This malware did not have the intelligence to check for the actual file type; rather it just read the file extension.
The malware decompresses the original file (pdf, msi, exe) and copies it to %temp% with a random name. It then executes the original file from %temp% along with the following files. The malware creates these files if they do not exist:
• %APPDATA%\SoftwareProtectionPlatform\sppc.exe
• %WINDIR%\SYSTEM32\wsauth.exe
• \temp.exe
Wsauth.exe runs as a service and hides from Windows Explorer by hooking the function NtQueryDirectoryFile in ntdll.dll.
We saw temp.exe, which ensures the host becomes infected, only on removable media. It has the icon of a folder to lure users.
This malware does not ask for any ransom to decompress the original files–unlike the ransomware CryptoLocker. W32/PDFCrypt spies on its victims, collecting user data by hooking onto browsers such as Internet Explorer, Firefox, and Chrome.
The malware gathers the following information from the compromised system:
After a delay of around 45 minutes, the malware downloaded an old Conficker worm, which McAfee has detected since January 2013.
The resource data directory contained the following DLLs and corresponding resource IDs.
DLL name |
Resource ID |
32-bit aplib.dll | 6Ah |
64-bit aplib.dll | 6Bh |
client.dll | 65h |
client64.dll | 66h |
miniresources.dll | 69h |
The files client.dll, on 32-bit machines, and client64.dll, on 64-bit machines, are the main infectors. Once in the memory of explorer.exe, this file carries out the complete infection cycle. Client*.dll uses the file *bit aplib.dll to compress the target files. It also runs the file wsauth.exe as a service component.
The miniresource.dll file hosts the icons for PDF and MSI files. The icon and resource information of the original executable is reused by the infected file. Miniresource.dll builds the resource information on the infected executable.
Like Conficker, this malware can generate domains using the Domain Generation Algorithmand uses DNS to check the status of the remote host. Once connected to a live server, the malware downloads further payloads, in our case Conficker. W32/PDFCrypt can also connect to remote control servers.
This malware is not widespread at this point. We have seen it in very few places around the world. McAfee DATs detect the dropper component. Infected PDF and exe files can be restored using the latest beta DATs and the McAfee Stinger tool.