McAfee > Theat Center > Virus Detail Page

Overview

JustSytems has released a patch for the vulnerability, see:

 http://www.justsystem.co.jp/info/pd7002.html  (in Japanese)

This detection covers malformed JustSystems Ichitaro Document files that attempts to exploit a 0-day vulnerability discovered April in 2007. When opened in Ichitaro, it causes a buffer overflow that can lead to arbitrary code execution in the targeted system.

This malware was previously detected as Exploit-TaroDrop trojan.

Characteristics

-- Update April 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://itpro.nikkeibp.co.jp/article/NEWS/20070409/267749/

This is a generic detection that covers files attempting to exploit a 0-day vulnerability in Justsystem Ichitaro discovered April in 2007. Ichitaro is a Japanese word processing application provided by JustSystem.Exploit code with malicious payload has been found to be used in the wild.

Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .

The following file is installed when the document is opened:

•   %Windir%\system32\hkdown.exe

The file is detected as BackDoor-DKI.dldr trojan with DAT 5003.

Symptoms

Unexpected execution of files upon opening a JTD file.

Method of Infection

When the JTD file is opened, malicious code is executed automatically using a zero day vulnerability in JustSystem Ichitaro.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update: Apirl 11, 2007 --

JustSytems has released a patch for the vulnerability, see:

 http://www.justsystem.co.jp/info/pd7002.html  (in Japanese)

This detection covers malformed JustSystems Ichitaro Document files that attempts to exploit a 0-day vulnerability discovered April in 2007. When opened in Ichitaro, it causes a buffer overflow that can lead to arbitrary code execution in the targeted system.

This malware was previously detected as Exploit-TaroDrop trojan.

Characteristics

Characteristics -

-- Update April 9, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://itpro.nikkeibp.co.jp/article/NEWS/20070409/267749/

This is a generic detection that covers files attempting to exploit a 0-day vulnerability in Justsystem Ichitaro discovered April in 2007. Ichitaro is a Japanese word processing application provided by JustSystem.Exploit code with malicious payload has been found to be used in the wild.

Upon launching the document, it exploits a 0-day vulnerability in Ichitaro and executes an embedded executable .

The following file is installed when the document is opened:

•   %Windir%\system32\hkdown.exe

The file is detected as BackDoor-DKI.dldr trojan with DAT 5003.

Symptoms

Symptoms -

Unexpected execution of files upon opening a JTD file.

Method of Infection

Method of Infection -

When the JTD file is opened, malicious code is executed automatically using a zero day vulnerability in JustSystem Ichitaro.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A