Symantec Security has received a sample ofan Ichitaro document that contains a currently unknown exploit. This isnot necessarily surprising as most software has vulnerabilities but auser who opens the document will surely be hit with a surprise.
Symantec detects the malicious document as Trojan.Tarodrop.D. When it is opened, malware is dropped onto the compromised computer, which Symantec detects as Trojan Horse. The dropped Trojan in turn drops more malware (detected as Hacktool.Keylogger) that logs keystroke and sends the stolen information to cvnxus.8800.org on TCP port 443.
Additionally, Hacktool.Keylogger injects a copy of itself -%System%\dg.exe - into the explorer.exe process, which prevents theuser from seeing all of its files. It then deletes itself but not untilafter it copies itself as %System%\svhosts.exe. This allows it to startup as %System%\svhosts.exe and inject itself into the explorer.exeprocess at the next reboot. This means that all actions taken bySystem%\svhosts.exe become legitimate because System%\svhosts.exe isrunning while hiding behind explorer.exe. This is most likely to bypassany firewall installed on the compromised computer by pretending to beexplorer.exe, which is a legitimate process.
As for the content of the document, as soon as the document isopened, you see a flash on the screen before you can see the content -this is a common occurrence with attacks involving vulnerabilities. Theflash you saw is a sign that the malware crashed the original documentdue to successfully exploiting the vulnerability, and drops and opens anew document that you actually see, which is blank.
As always, we recommend that you keep your security software up-to-date and follow safe computing practices.
Update - August 3, 2007:
The vulnerability discussed above has since been identified as theJustSystem Ichitaro Unspecified Code Execution Vulnerability asdescribed in BID 25187.