by Atlantis on March 30th, 2012 in Malware Descriptions.

Detect: Exploit.MIDI.CVE-2012-0003

Platform: MIDI

Type: Exploit

Size: 16447 bytes

md5: 17CA100FA300A1529AA9B144F02A1B7B

sha1: 406D33B0B284C3D33900050D9B188390431263EA


It is an exploit which downloads other malicious programs from the Internet and launches them for execution without the user’s knowledge.

Technical Details


A malicious web page contains an ActiveX component (CLSID: 22d6f312-b0f6-11d0-94ab-0080c74c7e95) which uses a specially formed midi-file.

When the malicious program works, heap overflow vulnerability is explored. The vulnerability exists in the "midiOutPlayNextPolyEvent" function of the "winmm.dll" library. With that, a malicious code is executed downloading a file from the following URL:


The URL did not respond when the description was created. The downloaded file is saved as:


After downloading, the file is decrypted and launched.

Removal Recommendations

To delete a malicious program, proceed through the steps listed below:

  1. Delete an original Trojan file (its location on the infected PC depends on the way the program has been installed on the PC).
  2. Delete the following file:
  3. %AppData%\a.exe

  4. Clean the Temporary Internet Files folder which contains infected files.
  5. Run a full scan of your computer using the Antivirus program with the updated definition database.
No votes yet


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now