McAfee > Theat Center > Virus Detail Page

Overview

The Backdoor-DJS is delivered via a specially crafted Justsystem Ichitaro program file with the "JTD" extension. The JTD file uses an unidentified vulnerability in JustSystem Ichitaro to drop and execute a Win32 executable embedded inside the document.

The JTD file was proactively detected as Exploit-TaroDrop since 4844 DAT version. For further information regarding the vulnerability, please see Exploit-TaroDrop description.

Characteristics

Upon execution the document, it crashes Justsystem Ichitaro program and executes the embedded executable.

The following file is dropped:

• %WINDIR%\iexplore.exe
  (Note:  Where %WinDir% usually refers to the c:\windows directory)

The following registry key is added:

• hkey_local_machine\software\microsoft\windows\currentversion\run
  iexplore.exe="%WINDIR%\iexplore.exe"

The backdoor attempts to connect the following remote site:

• japansoft.<REMOVED>ip.net  (port:443)

Symptoms

• Existence of mentioned file and registry

Method of Infection

BackDoor-DJS may arrive as a spammed message and uses an unidentified vulnerability in JustSystem Ichitaro program to execute an embedded executable contained upon opening. For further information regarding the vulnerability,  please see Exploit-TaroDrop description.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

The Backdoor-DJS is delivered via a specially crafted Justsystem Ichitaro program file with the "JTD" extension. The JTD file uses an unidentified vulnerability in JustSystem Ichitaro to drop and execute a Win32 executable embedded inside the document.

The JTD file was proactively detected as Exploit-TaroDrop since 4844 DAT version. For further information regarding the vulnerability, please see Exploit-TaroDrop description.

Characteristics

Characteristics -

Upon execution the document, it crashes Justsystem Ichitaro program and executes the embedded executable.

The following file is dropped:

• %WINDIR%\iexplore.exe
  (Note:  Where %WinDir% usually refers to the c:\windows directory)

The following registry key is added:

• hkey_local_machine\software\microsoft\windows\currentversion\run
  iexplore.exe="%WINDIR%\iexplore.exe"

The backdoor attempts to connect the following remote site:

• japansoft.<REMOVED>ip.net  (port:443)

Symptoms

Symptoms -

• Existence of mentioned file and registry

Method of Infection

Method of Infection -

BackDoor-DJS may arrive as a spammed message and uses an unidentified vulnerability in JustSystem Ichitaro program to execute an embedded executable contained upon opening. For further information regarding the vulnerability,  please see Exploit-TaroDrop description.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A