CAB It - PE_ICABDI.A

PE_ICABDI.A is non-destructive proof-of-concept malware that attempts to infect Microsoft Infopath .XSN files. Infopath is an application used to develop XML-based user forms. This file infector is currently spreading in-the-wild and infecting computers running Windows 2000, XP, and Server 2003.

The malware creates a temporary folder named iCab, and then copies a target XSN file that attempts to infect in the temporary folder. The contents of the file are then extracted.

To infect the XSN file, it inserts a malicious script inside the script.js of the target XSN file. To clean up traces of its malicious routine, it then attempts to recreate the original (already infected) file, and delete iCab and all its contents. However, due to errors in its code, it is unable to perform its file infection and cleanup routines.