1. Symantec/
  2. Security Response/
  3. Trojan.Pidief


Risk Level 2: Low

December 17, 2009
May 8, 2014 2:28:58 PM
Infection Length:
Systems Affected:
CVE References:
CVE-2007-5020, CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0655, CVE-2008-0667, CVE-2008-0726, CVE-2008-2042, CVE-2008-2992, CVE-2009-0658, CVE-2009-0927, CVE-2009-4324, CVE-2010-0188, CVE-2010-1297, CVE-2013-0640, CVE-2013-0641, CVE-2014-5256
Trojan.Pidief is a detection for a family of Trojans that exploit one or more Adobe Reader and Acrobat Vulnerabilities in order to drop or download additional malware on to the compromised computer.


Typically an attacker would entice a user to click on a malicious link or send a malicious PDF by email. Email has proven to be an efficient technique that has allowed this Trojan to reach large numbers of computers in a short space of time. The content of the spam emails constantly varies, so users should always be vigilant about any PDF documents that they receive by email.

The Trojan may also arrive on a computer as a result of websites that contain exploit packs. These websites contain functionality that may allow a remote attacker to identify which vulnerabilities exist on a certain computer. Once the vulnerability has been identified, the attacker can exploit it to perform further malicious activities on the compromised computer.

Malicious PDF files are often used in targeted attacks on individual or select groups within organizations. The aim of such attacks vary but may involve collection and theft of sensitive and proprietary information. In these attacks, the threats operate in a stealthy manner, trying to remain undetected for as long as possible in order to maximize the amount of information that can be stolen.

The malicious PDF file typically contains an exploit. When the file is opened, the exploited code runs and then other files are dropped and executed. Alternatively, files may also be downloaded and installed. This threat family is known to be associated with dropping or downloading other threats such as Backdoor.Trojan and Infostealer.


Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Browser protection
Symantec Browser Protection is known to be effective at preventing some infection attempts made through the Web browser.

Intrusion Prevention System

Symantec Endpoint Protection – Application and Device Control
Symantec Security Response has developed an Application and Device Control (ADC) Policy for Symantec Endpoint Protection to protect against the activities associated with this threat. ADC policies are useful in reducing the risk of a threat infecting a computer, the unintentional removal of data, and to restrict the programs that are run on a computer.

This particular ADC policy can be used to help combat an outbreak of this threat by slowing down or eliminating its ability to spread from one computer to another. If you are experiencing an outbreak of this threat in your network, please download the policy.

To use the policy, import the .dat file into your Symantec Endpoint Protection Manager. When distributing it to client computers, we recommend using it in Test (log only) mode initially in order to determine the possible impacts of the policy on normal network/computer usage. After observing the policy for a period of time, and determining the possible consequences of enabling it in your environment, deploy the policy in Production mode to enable active protection.

For more information on ADC and how to manage and deploy them throughout your organization, please refer to the Symantec Endpoint Protection Administration Manual (PDF).

Note: The ADC policies developed by Security Response are recommended for use in outbreak situations. While useful in such situations, due to their restrictive nature they may cause disruptions to normal business activities.

Antivirus Protection Dates

  • Initial Rapid Release version December 17, 2009 revision 001
  • Latest Rapid Release version March 23, 2018 revision 005
  • Initial Daily Certified version December 17, 2009 revision 005
  • Latest Daily Certified version March 23, 2018 revision 003
  • Initial Weekly Certified release date December 23, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Éamonn Young and Hon Lau

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube