posted on Mar, 10 2009 @ 05:18 AM
Interesting string from PIFTS.EXE:
A PDB, or "Program Database" file, is a separate file that is created when a C/C++ program is compiled by Microsoft Visual C++. It contains
debugging information, and is usually not distributed with the EXE file.
This fully-qualified path to the PDB seems to indicate that PIFTS.EXE belongs to a set of 'patch' tools. It's unknown whether the Perforce depot
(a source code version control system) that's referred to in the path is Symantic's.
Looking further at the EXE, this is a C++ STL program, console mode, compiled with Microsoft C++. Of interest is the 'imports' section, which
allows the program to connect to operating system functions. It seems fairly simple, there's find/load/lock resource, which allows information in
the resource segment of the EXE file to be accessed by the program, various file functions such as getting timestamps, creating and writing to files,
registry access functions, some OLE automation, and interestingly, access to InternetOpen APIs provided by wininet.dll.
At first, and very brief glance, this would appear to be a program that connects to the internet and downloads files, writing them on the local
machine. That's consistent with the depot naming of this as some kind of 'patch' tool. (That's just speculation, without a controlled analysis
in a virtual machine.)
Of course, what is downloaded, why, and what that does, is a mystery - and Symantic's response (or lack thereof) to questions in
this situation is quite suspicious.
[edit on March 10th 2009 by Ian McLean]