Content
Exploit-LHAZ.a
- Type
- Trojan
- SubType
- Exploit
- Discovery Date
- 08/17/2007
- Length
- Varies
- Minimum DAT
- 5100 (08/17/2007)
- Updated DAT
- 5101 (08/20/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 08/17/2007
- Description Modified
- 08/17/2007 3:18 AM (PT)
Tab Navigation
Characteristics
This is a generic detection that covers gzip files attempting to exploit a vulnerability the decompress tool called "LHAZ 1.33".
When this trojan loads into LHAZ, it silently drops the following 2 files.
- %UserProflie%\Local Setting\Temp\sav.exe (detected as BackDoor-CKB trojan)
- %SystemDir%\wuausrv.dll (detected as BackDoor-CKB trojan)
Symptoms
Unexpected execution of files upon opening a gzip file.
Method of Infection
When the gzip file is opened with "LHAZ 1.33", a malicious file is dropped using a zero day vulnerability in the tool.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
Exploit-LHAZ.a is a specially crafted gzip file that takes advantage of an unidentified vulnerability in the Japanese decompress tool called "LHAZ 1.33", and runs a malicious Win32 executable embedded inside the file.
Characteristics
Characteristics -
This is a generic detection that covers gzip files attempting to exploit a vulnerability the decompress tool called "LHAZ 1.33".
When this trojan loads into LHAZ, it silently drops the following 2 files.
- %UserProflie%\Local Setting\Temp\sav.exe (detected as BackDoor-CKB trojan)
- %SystemDir%\wuausrv.dll (detected as BackDoor-CKB trojan)
Symptoms
Symptoms -
Unexpected execution of files upon opening a gzip file.
Method of Infection
Method of Infection -
When the gzip file is opened with "LHAZ 1.33", a malicious file is dropped using a zero day vulnerability in the tool.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
