We recently discovered a Trojan that mimics a PDF file.

In fact, it was a PE EXE file, 474484 bytes in size and detected as Backdoor.Win32.Buterat (MD5: bd25188f88cfa163f8311460e0ffeae4) which extracts and opens a PDF file on the infected machine. An interesting peculiarity of the file is that the PDF document is titled “Letter to President Obama November”. Once executed, the backdoor opens this harmless PDF to draw attention away from a backdoor having just been installed on the system.

The document’s full title is “Letter to President Obama regarding His Planned Visit to Burma” from Aung Ding, Executive Director of U.S. Campaign for Burma and dated by November 7, 2012.

The letter is available on the Internet and can be downloaded from http://freebeacon.com/wp-content/uploads/2012/11/Letter-to-President-Obama-November-7-2012.pdf.

As a result of infection by the Buterat backdoor, the user will find the following file on their system:

c:\Documents and Settings\test\Local Settings\Application Data\Update.exe

According to the header of the file the Trojan file was compiled at November 14, 2012.

It is 128000 bytes in size, MD5: 85e180e3b014a2a569904c8095d81581 and detected by 12 antiviruses from 45 on VirusTotal:

After installation it connects to a C&C server, sends the bot’s registration information and waits for commands:

hxxp://mncgn.51vip.biz/systen&cp=TEST-E3B64054CD&log=1343205727&index=690218

Opening documents and showing picturesque content is a commonly used social engineering trick which we also have met when describing the “Mahdi” PowerPoint exploit in July’s Security Bulletin. The purpose of Mahdi’s presentations was also to distract users’ attention from the process of the exploit’s activation and subsequent download of new pieces of malware to the victim’s computer.