McAfee > Theat Center > Virus Detail Page

Overview

A zero day vulnerability has been discovered in the wild with the JustSystem Ichitaro program using the "JTD" extension. Exploit-TaroDrop.g is a trojan that is delivered via a specially crafted Ichitaro document. Ichitaro is a Japanese word processing application provided by JustSystem. When successful,  it will drop and execute a malicious Win32 executable embedded inside the document.

A patch for this vulnerability has been published by vendor. Japanese users of this application may find more information on the vulnerability and its patch at:

http://www.justsystems.com/jp/info/js09001.html (in Japanese)

Characteristics

Upon launching the document, it exploits a vulnerability in Ichitaro and executes an embedded executable .

The following file is installed when the document is opened:

• %Windir%\System32\beer80.exe (Generic Dropper trojan)

This dropper drops following files:

• %Systemdir%\WudfSvc.exe (Backdoor-DNW trojan)
• %Windir%\System32\fixmapi.dll (Backdoor-DNW trojan)
• %Windir%\System32\MSIMM.dll (Backdoor-DNW trojan)
  

Symptoms

Unexpected execution of files upon opening a JTD file.

Method of Infection

When the JTD file is opened, malicious code is executed automatically using a 0 day vulnerability in JustSystem Ichitaro.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

A zero day vulnerability has been discovered in the wild with the JustSystem Ichitaro program using the "JTD" extension. Exploit-TaroDrop.g is a trojan that is delivered via a specially crafted Ichitaro document. Ichitaro is a Japanese word processing application provided by JustSystem. When successful,  it will drop and execute a malicious Win32 executable embedded inside the document.

A patch for this vulnerability has been published by vendor. Japanese users of this application may find more information on the vulnerability and its patch at:

http://www.justsystems.com/jp/info/js09001.html (in Japanese)

Characteristics

Characteristics -

Upon launching the document, it exploits a vulnerability in Ichitaro and executes an embedded executable .

The following file is installed when the document is opened:

• %Windir%\System32\beer80.exe (Generic Dropper trojan)

This dropper drops following files:

• %Systemdir%\WudfSvc.exe (Backdoor-DNW trojan)
• %Windir%\System32\fixmapi.dll (Backdoor-DNW trojan)
• %Windir%\System32\MSIMM.dll (Backdoor-DNW trojan)
  

Symptoms

Symptoms -

Unexpected execution of files upon opening a JTD file.

Method of Infection

Method of Infection -

When the JTD file is opened, malicious code is executed automatically using a 0 day vulnerability in JustSystem Ichitaro.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A