AuthorMessage
Ashura
Unstopable
Posts: 370

Quote:
Text files are perceived to be rather safe and harmless to download from the Internet or emails and open in one’s computer without much fear about Virus infection.  But not for the users of Japanese text editor program Ichitaro, which saves files with ‘.JTD’ extensions.
 
Security experts at MicroWorld Technologies inform infected JTD files are smartly employed in exploiting a recently found vulnerability in Ichitaro, in order to spread a covert backdoor named ‘Win32.Papi.a’, thus orchestrating targeted computer attacks in the land of rising sun.
 
The backdoor penetration is carried out using a malicious JTD file that backpacks a Trojan Dropper named ‘Ichitaro.Tarodrop.a’. The Trojan Dropper exploits a Unicode Stack Overflow Vulnerability in the text editing software to execute its code on the system and to extract a backdoor named ‘Win32.Papi.a’.
 
Once activated, Win32.Papi.a installs itself in the system registry, initiates a Service named CAPAPI, drops its main DLL file which is then injected into the running processes of the compromised computer. It establishes a connection with the remote Server on port 8080 and listens for commands from the remote attacker.

The main Trojan file is a Justsystem Ichitaro (JTD) file 134835 bytes in size.Ichitaro is the most popular Japanese text editing program
Once launched, the Trojan exploits an undocumented vulnerability in Ichitaro Office Suite. It extracts an embedded .exe file called "ahah.exe" and saves it to the Windows temporary directory:
%UserProfile%\Local Settings\Temp\ahah.exe
It then launches the file for execution.
if u are infected already, here is way how to get rid of this trojan: http://www.mwti.com/virus_info/virusalertd.asp?vid=878