Lhaca, a Japanese archiving application, reportedly has a vulnerability in the way it handles decompression of files. A malware author has now jumped on this flaw and released TROJ_LHDROPPER.A.

When this software flaw is successfully exploited, the said Trojan drops and executes a backdoor detected by Trend Micro as BKDR_AGENT.AANE. As a result, malicious routines of the backdoor are exhibited on the affected system. It also drops an LZH (the extension used by the archiving application) file, which in turn, opens a blank MS PowerPoint file. The said action hides this Trojan s malicious routines.

The file name translates to Event Plan for Fiscal Year 2007.

This Trojan affects systems running Windows platforms with Japanese language pack and the archiving software installed.

This malware reinforces the trend that has threats targeting specific groups/regions, which in this case, are Japanese computer systems. This attack follows the same path as that of another Trojan detected in the wild late last month. Detected by Trend Micro as TROJ_PDROPPER.BA, it exploits a known Microsoft vulnerability and also displays a PowerPoint file that goes in the same vein as TROJ_LHDROPPER.A.

The text within the PPT translates to Status: Taiwan Situation (June 1, 2007: Support Members Debrief Session) Japan Interchange Association, Taipei Office.

TROJ_PDROPPER.BA also drops a backdoor (BKDR_EMBED.W).

As of this writing, no patches have been issued by the vendor for the flaw exploited by TROJ_LHDROPPER.A. Trend Micro strongly recommends not opening files from untrusted sources.

We have received reports of a kit being hosted on a Web site which, when accessed, redirects users to a malicious site. The said malicious site has different exploits that are used to ultimately download malicious files. We have in our hands eight files from this kit. Below are bits of information about the files:

• n404-0 is an obfuscated script. This is probably just a test script for the author because it just displays in a message box the deobfuscated or unencrypted contents of the file n404-1.
• n404-1 attempts to download the file vers.php, which is in reality a Win32 executable file detected by Trend Micro as TROJ_MURLO.AW. This downloaded Trojan is executed as ieupdate3r.exe, and downloads more malicious (and possibly malicious) files, including files detected as TROJ_SPAMBOT.B, TROJ_AGENT.USE, TROJ_WOPLA.DX, and Possible_NUCRP-3.
• n404-2 is similar to n404-1, but uses a different approach. It also downloads TROJ_MURLO.AW.
• n404-3 is a Setsplice exploit detected as EXPL_SSLICE.GEN. This file also attempts to download TROJ_MURLO.AW.
• n404-4 is a file we do not currently detect as malicious. However, according to our logs, it is related to the MS06-006 vulnerability (Windows Media Player plug-in with non-IE browsers). This one also tries to download TROJ_MURLO.AW.
• n404-5 looks like a possible Phel variant, but it seems to be currently doing no harm. This one can probably be edited depending on the attacker’s specification, probably for selling later in the game. This is also possible because this file is not being launched by version.php.
• n404-6 is detected as EXPL_TXTRANGE.A.
• n404-7 is detected as EXPL_IFRAMEBO.A. This one still points to vers.php (TROJ_MURLO.AW).

All the exploits above can be found within the site. However only n404-1, n404-2, n404-3, and n404-7 are directly launched when a user is redirected to the malicious site.

This week we have been receiving spammed email samples with the old “you have received a postcard” trick. The malicious email provides a web link to “retrieve” the postcard. In this case, the landing page seems to be completely blank, but in the background, a javascript tries to exploit some vulnerabilities and download and execute malware in the machine. Even though it may seem repetitive at this point, be careful with unexpected “ecards” and always (always!) make sure your browser is updated with the latest vendor patches. This highlights the fact that the main danger in the current landscape comes from web connections. Email-web threat tandems such as this one are getting more and more common.







After installation, a rootkit hides a peer-to-peer downloading component that keeps the malware updated. Trend Micro heuristic engine detects the first downloaded component as well as the P2P downloader. The rootkit module is detected as TROJ_TIBS.AB.