Trojan.Radropper Exploits WinRAR Vulnerability

[Symantec]

Trojan.Radropper Exploits WinRAR Vulnerability
<p>Recently, we have seen a trend in Trojan horse programs exploiting popular desktop applications. The applications that have been exploited have included Microsoft Word, Excel, Powerpoint, and JustSystem's Ichitaro. Now, we have uncovered a Trojan horse exploiting a vulnerability in WinRar—software which may not be quite as well known as those examples I have just mentioned.</p>

<p>Symantec Security Response has confirmed that <a href="http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-101015-1014-99">Trojan.Radropper</a> exploits the <a href="http://www.securityfocus.com/bid/19043/info">RARLAB WinRAR LHA Filename Handling Buffer Overflow Vulnerability</a>. This vulnerability was first made public in July of this year and has subsequently been fixed. The current version of WinRAR (version 3.61) does not contain this vulnerability.</p>

<p>The attack was email based and was executed when an email with a RAR archive attachment was sent to a user. Once the archive was opened, the RAR file would drop a file, which is detected as Backdoor.Trojan, onto the user's computer.</p>

<p>This threat is considered a very low risk at this time, due to the fact that it was used in a targeted attack. Additionally, the vulnerability exploited here is not new and a patch is already available. However, if you are using WinRAR, I fully advise you to patch the software as soon as possible.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/10/trojanradropper_exploits_winra.html
http://www.symantec.com/enterprise/security_response/weblog/2006/10/trojanradropper_exploits_winra.html
Tue, 10 Oct 2006 17:56:15 -0800