Encyclopedia entry
Updated:
Apr 17, 2011
| Published:
Apr 14, 2008
Aliases
CVE-2008-1092
(other)
-
Trojan-Downloader.MSAccess.MsJet.a
(Kaspersky)
-
Exploit-MSJet
(McAfee)
-
Trojan/Mdrop-BQR
(Sophos)
-
Bloodhound.Exploit.183
(Symantec)
Alert Level
(?)
Severe
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008
|
Summary
Symptoms
System Changes
The following system changes may indicate the presence of Exploit:Win32/Jdrop.gen!A:
-
the unsolicited receipt of a ZIP archive containing two files, one with .DOC file extension, the other with .MDB file extension
-
upon opening the .DOC file from within a ZIP archive also containing an .MDB file, the following file is created:
c:\svchost.exe
Technical Information (Analysis)
Installation
Known attack scenarios involve the combination of a malicious Microsoft Document (.DOC) file and a malicious Microsoft Access Database (.MDB) file to trigger a buffer overrun in the JET engine.
A user receives a ZIP archive file via e-mail containing the two crafted files. Upon opening the malicious document, it uses the mail merge feature and accesses the malicious database file, triggering a buffer overrun and executing embedded shellcode within the MDB file.
Payload
Drops Malware
When the shellcode executes, it may drop a malicious file as "C:\SVCHOST.EXE", and execute it. The dropped malware is often detected by our antivirus scanner as "VirTool:Win32/DelfInject.gen!K".
Additional Information
The malware within the ZIP archive may be detected by the following names:
Exploit:Win32/Jdrop.gen!A - malicious MDB file
Exploit:Win32/Jdrop.gen!B - malicious DOC file
Analysis by Cristian Craioveanu
Prevention
Recovery
