Content

Exploit-TaroDrop.d

Type
Trojan
SubType
Exploit
Discovery Date
12/13/2007
Length
Varies
Minimum DAT
5185 (12/13/2007)
Updated DAT
5186 (12/14/2007)
Minimum Engine
5.1.00
Description Added
12/13/2007
Description Modified
12/17/2007 11:52 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a generic detection that covers files attempting to exploit a 0-day vulnerability in JustSystem Ichitaro in the wild in December 2007.

When successful, the exploit may drop a lsass.exe file detected as BackDoor-DLI. This backdoor may communicate over TCP Port 443 with the following host(s):

  • 216.54.56.{blocked}
  • {blocked}.wwwcrazy.com

A security patch is now available from the vendor:

Symptoms

  • Unexpected executation of lsass.exe while opening Ichitaro document.
  • Unexpected termination of Ichitaro application.
  • Network communication with the mentioned host(s).

 

 

Method of Infection

This exploit targets a 0-day vulnerability in JustSystem Ichitaro.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a generic detection that covers files attempting to exploit a 0-day vulnerability in JustSystem Ichitaro discovered in December 2007.

 

Characteristics

Characteristics -

This is a generic detection that covers files attempting to exploit a 0-day vulnerability in JustSystem Ichitaro in the wild in December 2007.

When successful, the exploit may drop a lsass.exe file detected as BackDoor-DLI. This backdoor may communicate over TCP Port 443 with the following host(s):

  • 216.54.56.{blocked}
  • {blocked}.wwwcrazy.com

A security patch is now available from the vendor:

Symptoms

Symptoms -

  • Unexpected executation of lsass.exe while opening Ichitaro document.
  • Unexpected termination of Ichitaro application.
  • Network communication with the mentioned host(s).

 

 

Method of Infection

Method of Infection -

This exploit targets a 0-day vulnerability in JustSystem Ichitaro.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A