Well, it's that time of year again. April is the first month of the fiscal year in Japan, and a time when people look forward to the breath-taking beauty of cherry blossoms—known as sakura in Japan—slowly covering the country from end to end for an all-too-brief few weeks. Unfortunately it also seems to be a time malicious code authors in the Land of the Rising Sun see as opportune to do some of their dirty work. In this case, that misuse of perfectly good time resulted in the release of an exploit for a new Ichitaro vulnerability.
JustSystems’ Ichitaro is one of the most widely used word processing programs in Japan. On this occasion, a specially crafted Ichitaro word document creates a randomly named .tmp file in the Windows system directory. This .tmp file then drops and opens a legitimate Ichitaro word document, but it also creates a file named “beer80.exe” in the system directory. The .exe file will be unseen by the user and will, in turn, drop three additional malicious files that attempt to open a back door on the compromised computer.
JustSystems released a patch for this vulnerability yesterday—you can read more about it here (in Japanese). We recommend that Ichitaro users apply this patch as soon as possible.
The malicious Ichitaro word document is detected by Symantec as Trojan.Tarodrop.H. The .tmp file is detected as Trojan Horse and all of the dropped files are detected as Backdoor.Trojan. As always, we recommend that you keep your security software up-to-date, follow safe computing practices, and if possible, stop and smell the roses occasionally. Or, if you happen to be in Japan at this time of year, the cherry blossoms.