Follow:

 

Exploit:Win32/Jdrop.gen!A


Exploit:Win32/Jdrop.gen!A is a generic detection for specially crafted Microsoft Access Database (MDB) files that exploit the Microsoft Jet Database Engine File Parsing Stack Overflow Vulnerability. This vulnerability is referenced by Common Vulnerabilities and Exposures ID CVE-2008-1092, and described in Microsoft Security Advisory 950267.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Exploit:Win32/Jdrop.gen!A is a generic detection for specially crafted Microsoft Access Database (MDB) files that exploit the Microsoft Jet Database Engine File Parsing Stack Overflow Vulnerability. This vulnerability is referenced by Common Vulnerabilities and Exposures ID CVE-2008-1092, and described in Microsoft Security Advisory 950267.
Installation
Known attack scenarios involve the combination of a malicious Microsoft Document (.DOC) file and a malicious Microsoft Access Database (.MDB) file to trigger a buffer overrun in the JET engine.
 
A user receives a ZIP archive file via e-mail containing the two crafted files. Upon opening the malicious document, it uses the mail merge feature and accesses the malicious database file, triggering a buffer overrun and executing embedded shellcode within the MDB file.
Payload
Drops Malware
When the shellcode executes, it may drop a malicious file as "C:\SVCHOST.EXE", and execute it. The dropped malware is often detected by our antivirus scanner as "VirTool:Win32/DelfInject.gen!K".
Additional Information
The malware within the ZIP archive may be detected by the following names:
Exploit:Win32/Jdrop.gen!A - malicious MDB file
Exploit:Win32/Jdrop.gen!B - malicious DOC file
 
Analysis by Cristian Craioveanu

Symptoms

System Changes
The following system changes may indicate the presence of Exploit:Win32/Jdrop.gen!A:
  • the unsolicited receipt of a ZIP archive containing two files, one with .DOC file extension, the other with .MDB file extension
  • upon opening the .DOC file from within a ZIP archive also containing an .MDB file, the following file is created:
    c:\svchost.exe

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 14, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • CVE-2008-1092 (other)
  • Trojan-Downloader.MSAccess.MsJet.a (Kaspersky)
  • Exploit-MSJet (McAfee)
  • Trojan/Mdrop-BQR (Sophos)
  • Bloodhound.Exploit.183 (Symantec)