Lhaca, a Japanese archiving application, reportedly has a vulnerability in the way it handles decompression of files. A malware author has now jumped on this flaw and released TROJ_LHDROPPER.A.

When this software flaw is successfully exploited, the said Trojan drops and executes a backdoor detected by Trend Micro as BKDR_AGENT.AANE. As a result, malicious routines of the backdoor are exhibited on the affected system. It also drops an LZH (the extension used by the archiving application) file, which in turn, opens a blank MS PowerPoint file. The said action hides this Trojan s malicious routines.

The file name translates to Event Plan for Fiscal Year 2007.

This Trojan affects systems running Windows platforms with Japanese language pack and the archiving software installed.

This malware reinforces the trend that has threats targeting specific groups/regions, which in this case, are Japanese computer systems. This attack follows the same path as that of another Trojan detected in the wild late last month. Detected by Trend Micro as TROJ_PDROPPER.BA, it exploits a known Microsoft vulnerability and also displays a PowerPoint file that goes in the same vein as TROJ_LHDROPPER.A.

The text within the PPT translates to Status: Taiwan Situation (June 1, 2007: Support Members Debrief Session) Japan Interchange Association, Taipei Office.

TROJ_PDROPPER.BA also drops a backdoor (BKDR_EMBED.W).

As of this writing, no patches have been issued by the vendor for the flaw exploited by TROJ_LHDROPPER.A. Trend Micro strongly recommends not opening files from untrusted sources.