Vulnerabilities (designated as CVE-2010-3915 and CVE-2010-3916) have been found in the popular Japanese-language word processor Ichitaro. If exploited, a specially crafted .JTD file can be used to drop and execute files. Files exploiting these vulnerabilities are detected as TROJ_TARODRP.SM.
The current payload of the attacks that target this vulnerability is a dropper detected as TROJ_DROPPER.QVA. It checks whether the current user has administrative rights on the system or not. Depending on the situation, it uses different means to ensure that it will run at every system startup. The end behavior, however, is identical—a backdoor (BKDR_GOLPECO.A) is dropped onto the infected system. It contacts a command-and-control (C&C) server. Among the commands that a would-be bot herder can execute on an infected system are:
- Perform shell commands
- Overwrite on/Retrieve files from the infected system
- Download and execute files from the Internet
Taken together, a system can be completely compromised by this malware. This is a nontrivial risk, as both this and previous Ichitaro vulnerabilities were used in targeted attacks, with correspondingly higher risks.
Trend Micro users have been protected since September 18 when patterns protecting against the above-mentioned threats were released. Related malicious URLs have also been blocked since the same date. However, due to nondisclosure agreements (NDAs), we have been unable to discuss this threat until a fix for the vulnerability was released.