Last August 17, a zero-day exploit using a vulnerability in the Japanese compression/decompression software Lhaz ver 1.33 was discovered. While the exploit only affects users who have installed the said program and is yet to cause a widespread infection, Trend Micro advises users to take every precaution when using the application.

Note that this is not the first time a Japanese compression/decompression software was exploited: last June, a similar exploit took advantage of a flaw in +Lhaca archiving software.

The sample Trend Micro obtained has the .TGZ extension (indicating a compressed TAR+GZIP file) and poses as a chronological table of events that happened during World War II. It is assumed that this file was used as a timely social engineering technique to attract an affected user’s interest, because August 15th marks the anniversary of Japan’s surrender during the said war.

Once the sample is decompressed using Lhaz, a compressed .TGZ file with no name is extracted, along with an .RTF document and a .PPT presentation (see image below). These documents contain the aforementioned WWII table. This content seems to be copied from a Web site.

However, during decompression, a dropper Trojan is executed via the unknown vulnerability. Once this Trojan executes, it notifies a remote server that it has successfully infected a system. It then proceeds to install a backdoor program in the Windows system folder:

The dropped backdoor uses the name wuausrv.dll, which is also the name of a legitimate Windows file. The said routine allows the backdoor to avoid easy detection and consequent removal. Indeed, even its version information (in File Properties) looks similar to that of the legitimate one, except for certain trademarks (such as Ã?© and Ã?® — see images below; the one at the bottom is the legitimate one).

Compression/decompression software has two prominent types: one that uses general compression/decompression .DLL files, and one that uses its own. The previously exploited Lhaca+ software falls under the former, while Lhaz is of the latter type. This latter type (software that uses its own .DLL files) also seems to be the preferred one by most organizations because it is easier to handle.

Trend Micro already detects the compressed file that exploits the Lhaz vulnerability as TROJ_LZDROPPER.A. The installed backdoor program, sav.exe on the other hand, is detected as BKDR_PROTUX.AK.

A fix that addresses this vulnerability has been recently released and included in Lhaz ver 1.34 B2. Users are advised to update their products to avoid being victimized with this exploit.

additional information given by Edgardo A. Diaz Jr (Escalation Engineer).