I was cleaning up my messy folders when I bumped on this file – chungtak.chm. I reckon, it was the malicious CHM file spreading around early March of this year.
Is this another exploited file ? Let’s take a look …
CHM Basic File Structure
Microsoft’s HTML Help CHM format starts with 38 bytes of header information and then followed by header sections which contains information such as total filesize and directory list.
This header is followed by directory chunks which consist of index and listing chunks.
The content is self explanatory while the section data is actually part of the content which associates other related files. The section data could contain compressed or uncompressed data. The compressed section uses LZX compression method, which is popularly used in Microsoft cabinet files.
With this basic information, let’s investigate the suspicious file – chungtak.chm.
1 – Chungtak.chm
2 – Using CHM decoder tool, these files were extracted.
3 – Chungtak.chm main page is Index.htm. Index.htm contains a malicious code that allows music.exe to execute.
4 – music.exe is a Trojan Dropper. A good analysis posted in McAfee Avert Labs Blog last March 11.
So, what happened? The CHM file is not exploited instead the malicious user uses a legitimate feature that allows an external local file execute by linking it to the chm. [Read CHM Linking Tips]