Backdoor Sneaks into Computers through Japanese Text Editor

By | August 24, 2006

Text files are perceived to be rather safe and harmless to download from the Internet or to receive via emails and open in one’s computer without much fear about Virus infection. But not for the users of Japanese text editor program Ichitaro, which saves files with ‘.JTD’ extensions.

Security experts at MicroWorld Technologies inform infected JTD files are smartly employed in exploiting a recently found vulnerability in Ichitaro, in order to spread a covert backdoor named ‘Win32.Papi.a’, thus orchestrating targeted computer attacks in the land of rising sun. Justsystems, the makers of Ichitaro, has issued a patch for the flaw.

The backdoor penetration is carried out using a malicious JTD file that backpacks a Trojan Dropper named ‘Ichitaro.Tarodrop.a’. The Trojan Dropper exploits a Unicode Stack Overflow Vulnerability in the text editing software to execute its code on the system and to extract a backdoor named ‘Win32.Papi.a’.

Once activated, Win32.Papi.a installs itself in the system registry, initiates a Service named CAPAPI, drops its main DLL file which is then injected into the running processes of the compromised computer. It establishes a connection with the remote Server on port 8080 and listens for commands from the remote attacker.

The backdoor can harvest system information, stop and start processes, take screenshots of the desktop and send them to the attacker, download files from the net and execute them, capture network user information, log off current user, search disks for files, create and move directories and restart the victim’s machine. Using Win32.Papi the attacker takes over the targeted machine completely to conduct a range of online criminal activities.

Leave a Reply