TROJ_LHDROPPER.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

TROJ_LHDROPPER.A

Overview

Solution

Technical Details

Malware type: Trojan

Aliases: Exploit.Win32.Lha.a (Kaspersky), Exploit-Lhaca.a (McAfee), Trojan.Lhdropper (Symantec), TR/Lhdropper.A (Avira),

In the wild: Yes

Destructive: No

Language: Japanese

Platform: Windows 2000, XP, Server 2003 with Lhaca version 1.20 installed

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		Low

Description:

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

TROJ_LHDROPPER.A Behavior Diagram

Malware Overview

This is the Trend Micro detection for a Trojan that reportedly takes advantage of a vulnerability in Lhaca version 1.20, a Japanese archiving application. Once successfully exploited, it checks if the affected machine is running a Japanese OS then drops files, one of which is detected by Trend Micro as BKDR_AGENT.AANE. As a result, routines of the dropped backdoor may be exhibited on the system. Note that on English platforms, it merely displays an error message then exits.

It also drops a non-malicious LZH archive that contains a blank Powerpoint (PPT) file. Below are screenshots of the said archive and the PPT file it contains:

.LZH archive:

LZH archive

.PPT file:

Blank PowerPoint file

It opens the said PPT file to hide its execution.

The names of both files translate to Event Plan for Fiscal Year 2007.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 26, 2007 7:10:28 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.