Lhaca, a Japanese archiving application, reportedly has a vulnerability in the way it handles decompression of files. A malware author has now jumped on this flaw and released TROJ_LHDROPPER.A.

When this software flaw is successfully exploited, the said Trojan drops and executes a backdoor detected by Trend Micro as BKDR_AGENT.AANE. As a result, malicious routines of the backdoor are exhibited on the affected system. It also drops an LZH (the extension used by the archiving application) file, which in turn, opens a blank MS PowerPoint file. The said action hides this Trojan s malicious routines.

The file name translates to Event Plan for Fiscal Year 2007.

This Trojan affects systems running Windows platforms with Japanese language pack and the archiving software installed.

This malware reinforces the trend that has threats targeting specific groups/regions, which in this case, are Japanese computer systems. This attack follows the same path as that of another Trojan detected in the wild late last month. Detected by Trend Micro as TROJ_PDROPPER.BA, it exploits a known Microsoft vulnerability and also displays a PowerPoint file that goes in the same vein as TROJ_LHDROPPER.A.

The text within the PPT translates to Status: Taiwan Situation (June 1, 2007: Support Members Debrief Session) Japan Interchange Association, Taipei Office.

TROJ_PDROPPER.BA also drops a backdoor (BKDR_EMBED.W).

As of this writing, no patches have been issued by the vendor for the flaw exploited by TROJ_LHDROPPER.A. Trend Micro strongly recommends not opening files from untrusted sources.

We have received reports of a kit being hosted on a Web site which, when accessed, redirects users to a malicious site. The said malicious site has different exploits that are used to ultimately download malicious files. We have in our hands eight files from this kit. Below are bits of information about the files:

• n404-0 is an obfuscated script. This is probably just a test script for the author because it just displays in a message box the deobfuscated or unencrypted contents of the file n404-1.
• n404-1 attempts to download the file vers.php, which is in reality a Win32 executable file detected by Trend Micro as TROJ_MURLO.AW. This downloaded Trojan is executed as ieupdate3r.exe, and downloads more malicious (and possibly malicious) files, including files detected as TROJ_SPAMBOT.B, TROJ_AGENT.USE, TROJ_WOPLA.DX, and Possible_NUCRP-3.
• n404-2 is similar to n404-1, but uses a different approach. It also downloads TROJ_MURLO.AW.
• n404-3 is a Setsplice exploit detected as EXPL_SSLICE.GEN. This file also attempts to download TROJ_MURLO.AW.
• n404-4 is a file we do not currently detect as malicious. However, according to our logs, it is related to the MS06-006 vulnerability (Windows Media Player plug-in with non-IE browsers). This one also tries to download TROJ_MURLO.AW.
• n404-5 looks like a possible Phel variant, but it seems to be currently doing no harm. This one can probably be edited depending on the attacker’s specification, probably for selling later in the game. This is also possible because this file is not being launched by version.php.
• n404-6 is detected as EXPL_TXTRANGE.A.
• n404-7 is detected as EXPL_IFRAMEBO.A. This one still points to vers.php (TROJ_MURLO.AW).

All the exploits above can be found within the site. However only n404-1, n404-2, n404-3, and n404-7 are directly launched when a user is redirected to the malicious site.

This week we have been receiving spammed email samples with the old “you have received a postcard” trick. The malicious email provides a web link to “retrieve” the postcard. In this case, the landing page seems to be completely blank, but in the background, a javascript tries to exploit some vulnerabilities and download and execute malware in the machine. Even though it may seem repetitive at this point, be careful with unexpected “ecards” and always (always!) make sure your browser is updated with the latest vendor patches. This highlights the fact that the main danger in the current landscape comes from web connections. Email-web threat tandems such as this one are getting more and more common.







After installation, a rootkit hides a peer-to-peer downloading component that keeps the malware updated. Trend Micro heuristic engine detects the first downloaded component as well as the P2P downloader. The rootkit module is detected as TROJ_TIBS.AB.

We’ve received reports of a web threat toolkit similar to WebAttacker and MPack being hosted at a particular domain. This new toolkit utilizes a variety of exploits to download TROJ_SMALL.FXD into the affected system. We’ve checked several obfuscated PHP files contained within a directory behind this domain and so far, here’s what we have on this new threat: Through IFRAME tags, a file called INDEX.PHP loads other webpages located in the same directory: Z-CS-AN.HTM, Z-JAVA1.PHP, Z-014-2.PHP, Z-CREATE-O.PHP, Z-014-1.PHP, and Z-PNG-OV.PHP. Z-CS-AN.HTM is an HTML file that loads FILE.JPG (also located in the same directory) as an animated cursor. Through FILE.JPG, it exploits the animated cursor vulnerability in Windows similar to ANICMOO. FILE.JPG is already detected by Trend as EXPL_ANICMOO.GEN. Further inspection of the file reveals a download location and the executable file that is retrieved from this location (FILE.EXE) is actually a Trojan downloader that is detected by Trend as TROJ_SMALL.FXD. Z-JAVA-1.PHP makes use of a .JAR file that contains malicious java classes compiled as web page applets. These applets are detected by Trend as JAVA_BYTEVER. It exploits the ByteVerifier vulnerability in unpatched versions of Microsoft (MS) Java Virtual Machine, which could allow a file to be downloaded and executed without a user’s knowledge. Through the use of this exploit, TROJ_SMALL.FXD is downloaded. Z-014-2.PHP, Z-CREATE-O.PHP and Z-014-1.PHP have obfuscated JavaScript and Vbscript code. All of them have similar content in terms of functionality, which is to download and execute TROJ_SMALL.FXD. These 3 PHP files differ in the method that they use to download the malware and how they rename its file once it is successfully downloaded in the affected system. Z-PNG-OV.PHP exploits the vulnerability indicated in MS06-024 using the PNG File residing in the same directory. Remote code execution vulnerability exists in Windows Media Player due to the way it handles the processing of PNG images. Through the use of this exploit, TROJ_SMALL.FXD is downloaded.

In summary, this particular web threat toolkit makes sure that TROJ_SMALL.FXD is downloaded regardless of the method or exploit used. Most of the vulnerabilities exploited are nothing new so be sure to patch your systems as a security measure. These will be the respective detections for each file: index.php as JS_PSYME.APS z-014-1.php as JS_PSYME.AQR z-014-2.php as JS_PSYME.AQD z-create-o.php as JS_PSYME.AQM z-cs-an.php as HTML_DLOADER.NHY z-java1.php as JS_PSYME.AQN z-png-ov.php as JS_AGENT.UNW

Another fake codec website has just turned up. Once again, a TROJ_ZLOB variant posing as a codec installer can be downloaded from this legitimate-looking website, inc-codec(dot)com.

Don’t let its professional-looking design and techno-babble fool you. This particular download site does not contain any codec installers at all. Rather, the installer that it offers for download is nothing more but TROJ_ZLOB.DFV.