Home > Emerging Threats, malware report > Malicious CHM

Malicious CHM

I was cleaning up my messy folders when I bumped on this file – chungtak.chm. I reckon, it was the malicious CHM file spreading around early March of this year.

Is this another exploited file ? Let’s take a look …

CHM Basic File Structure

Microsoft’s HTML Help CHM format starts with 38 bytes of header information and then followed by header sections which contains information such as total filesize and directory list.

This header is followed by directory chunks which consist of index and listing chunks.

The content is self explanatory while the section data is actually part of the content which associates other related files. The section data could contain compressed or uncompressed data. The compressed section uses LZX compression method, which is popularly used in Microsoft cabinet files.

[Read Matthew T. Russotto CHM file format]

With this basic information, let’s investigate the suspicious file – chungtak.chm.

1 – Chungtak.chm
2 – Using CHM decoder tool, these files were extracted.
3 – Chungtak.chm main page is Index.htm. Index.htm contains a malicious code that allows music.exe to execute.
4 – music.exe is a Trojan Dropper. A good analysis posted in McAfee Avert Labs Blog last March 11.

So, what happened? The CHM file is not exploited instead the malicious user uses a legitimate feature that allows an external local file execute by linking it to the chm. [Read CHM Linking Tips]

  1. No comments yet.
  1. August 5, 2009 at 8:09 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: