Known attack scenarios involve the combination of a malicious Microsoft Document (.DOC) file and a malicious Microsoft Access Database (.MDB) file to trigger a buffer overrun in the JET engine.
A user receives a ZIP archive file via e-mail containing the two crafted files. Upon opening the malicious document, it uses the mail merge feature and accesses the malicious database file, triggering a buffer overrun and executing embedded shellcode within the MDB file.
When the shellcode executes, it may drop a malicious file as "C:\SVCHOST.EXE", and execute it. The dropped malware is often detected by our antivirus scanner as "VirTool:Win32/DelfInject.gen!K".
The malware within the ZIP archive may be detected by the following names:
Exploit:Win32/Jdrop.gen!A - malicious MDB file
Exploit:Win32/Jdrop.gen!B - malicious DOC file
Analysis by Cristian Craioveanu
The following system changes may indicate the presence of Exploit:Win32/Jdrop.gen!A:
the unsolicited receipt of a ZIP archive containing two files, one with .DOC file extension, the other with .MDB file extension
upon opening the .DOC file from within a ZIP archive also containing an .MDB file, the following file is created: