Content
Exploit-TaroDrop
- Type
- Trojan
- SubType
- Exploit
- Discovery Date
- 08/17/2006
- Length
- Varies
- Minimum DAT
- 4832 (08/18/2006)
- Updated DAT
- 5329 (07/01/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 08/17/2006
- Description Modified
- 04/09/2007 12:51 AM (PT)
Tab Navigation
Characteristics
-- Update: April 6, 2007 ---
Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .
The following file is installed when the document is opened:
- %Windir%\system32\hkdown.exe
The file is detected as BackDoor-DKI.dldr trojan with DAT 5003.
--------------------------
This is a generic detection that covers files attempting to exploit a 0-day vulnerability in Justsystem Ichitaro version 9 and later. Ichitarois a Japanese word processing application provided by JustSystem.Exploit code with malicious payload has been found to be used in the wild.
Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .
The following file is installed when the document is opened:
- C:\Documents and Settings\%USER%\Local Settings\Temp\ahah.exe
The file is a backdoor trojan and is detected as BackDoor-DJF.
A patch for this vulnerability is currently being developed by vendor. Japanese users of this application may find more information on the vulnerability and its patch at:
- http://www.justsystem.co.jp/info/pd6002.html?w=hmidx (in Japanese)
Symptoms
Unexpected execution of files upon opening a JTD file.
Method of Infection
When the JTD file is opened, malicious code is executed automatically using a zero day vulnerability in JustSystem Ichitaro.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update: April 9, 2007 --- New variants exploiting a new 0-day vulnerability are being detected as Exploit-TaroDrop.b in DAT version 5005 and newer. -- Update: April 6, 2007 --- A 0-day vulnerability has been discovered. McAfee Avert Labs has informed the software vendor and a patch is being developed by the vendor to deal with this vulnerability. The new exploit was proactively detected as Exploit-OleDropper since the 4995 Dat (Release Date: March 29, 2007) when the program heuristics are enabled via the McAfee command-line scanner and gateway product. -- Update: September 28, 2006 --
JustSytem has released a patch for the vulnerability, see:
http://www.justsystem.co.jp/info/pd6003.html (in Japanese)
-- Update: September 27, 2006 ---
A 0-day vulnerability has been discovered in the wild with the JustSystem Ichitaro program using the "JTD" entension. McAfee Avert Labs has informed the software vendor and a patch is being developed by the vendor to deal with this vulnerability.
Japanese users of this application may find more information on the vulnerability and its patch at:
http://www.justsystem.co.jp/info/pd6003.html?w=hmidx (in Japanese)
The new exploit was proactively detected as Exploit-TaroDrop since the 4844 Dat (Release Date: September 4, 2006) when the program heuristics are enabled via the McAfee command-line scanner and gateway product.
--
Exploit-TaroDrop is a trojan that is delivered via a specially crafted Ichitaro document. Ichitaro is a Japanese word processing application provided by JustSystem. This specially crafted Ichitaro document exploits an undocumented vulnerability in JustSystem Ichitaro version 9 and later. When successful, it will drop and execute a malicious Win32 executable embedded inside the document.
A patch for this vulnerability is currently being developed by vendor. Japanese users of this application may find more information on the vulnerability and its patch at:
- http://www.justsystem.co.jp/info/pd6002.html?w=hmidx (in Japanese)
Characteristics
Characteristics -
-- Update: April 6, 2007 ---
Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .
The following file is installed when the document is opened:
- %Windir%\system32\hkdown.exe
The file is detected as BackDoor-DKI.dldr trojan with DAT 5003.
--------------------------
This is a generic detection that covers files attempting to exploit a 0-day vulnerability in Justsystem Ichitaro version 9 and later. Ichitarois a Japanese word processing application provided by JustSystem.Exploit code with malicious payload has been found to be used in the wild.
Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .
The following file is installed when the document is opened:
- C:\Documents and Settings\%USER%\Local Settings\Temp\ahah.exe
The file is a backdoor trojan and is detected as BackDoor-DJF.
A patch for this vulnerability is currently being developed by vendor. Japanese users of this application may find more information on the vulnerability and its patch at:
- http://www.justsystem.co.jp/info/pd6002.html?w=hmidx (in Japanese)
Symptoms
Symptoms -
Unexpected execution of files upon opening a JTD file.
Method of Infection
Method of Infection -
When the JTD file is opened, malicious code is executed automatically using a zero day vulnerability in JustSystem Ichitaro.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
