Exploit.MIDI.CVE-2012-0003

by Atlantis on March 30th, 2012 in Malware Descriptions.

Detect: Exploit.MIDI.CVE-2012-0003

Platform: MIDI

Type: Exploit

Size: 16447 bytes

md5: 17CA100FA300A1529AA9B144F02A1B7B

sha1: 406D33B0B284C3D33900050D9B188390431263EA

Summary

It is an exploit which downloads other malicious programs from the Internet and launches them for execution without the user’s knowledge.

Technical Details

Payload

A malicious web page contains an ActiveX component (CLSID: 22d6f312-b0f6-11d0-94ab-0080c74c7e95) which uses a specially formed midi-file.

When the malicious program works, heap overflow vulnerability is explored. The vulnerability exists in the "midiOutPlayNextPolyEvent" function of the "winmm.dll" library. With that, a malicious code is executed downloading a file from the following URL:

http://image***op.com/tdc.exe

The URL did not respond when the description was created. The downloaded file is saved as:

%AppData%\a.exe

After downloading, the file is decrypted and launched.

Removal Recommendations

To delete a malicious program, proceed through the steps listed below:

  1. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  2. Delete the following file:
  3. %AppData%\a.exe

  4. Clean the Temporary Internet Files folder which contains infected files.
  5. Run a full scan of your computer using the Antivirus program with the updated definition database.