# HP JetDirect Download Manager for Windows antivirus trigger suspicious file 
# Date: 3 Jan 2012
# Author: Andrei Costin (andrei@andreicostin.com)

# Software Link: 
# http://h20000.www2.hp.com/bizsupport/TechSupport/DriverDownload.jsp?pnameOID=13218&locale=en_US&taskId=135&prodTypeId=13037&prodSeriesId=27355
#http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=13218&prodTypeId=18972&prodSeriesId=27355&swLang=8&taskId=135&swEnvOID=228

# Category: Windows App
# CVE: Not Avail yet
# Other SecAdv number: ACSA-2012-04

##### Intro #####

HP JetDirect Download Manager is a stand-alone aplication that is used to
discover and manager firmware levels of JetDirect devices on a user network.

It is mainly used by network/system/printer administrators.

##### Vulnerability/Risk #####

This advisory is not related to a vulnerability as such.

This advisory is related to a risk posed to end-users where certain AV/IDS/IPS and signature-based binary verification programs
trigger a "suspicious file" alert for the "hpjdwnld.exe".

Seems that the following strings in the "hpjdwnld.exe" are triggering the alerts:
"Model found in backdoor file!"
"FirmwareFileManager::ReadFirmwareBackDoorFile"
"FirmwareFileManager::ReadBackDoorfile"

Under closer inspection of the file, several other suspicios strings were foung:
"Rejected special firmware file:"
"Special firmware file:"
"\upgrades\jetdirect\SpecialUpgrades.txt"

In case the HP officially distributed binary is already infected before packaging, there is an iminent risk posed to the end user and his/her devices/infrastructure.

##### "hpjdwnld.exe" Details #####
Size: 487424 bytes
File version: 4.30
Product name: HP Download Manager
Product version: 4.01
SHA-1: ed6bab59cf49ad6fc702d0afe475e802c290b9c5

##### Vendor Notification #####

3 Jan 2012 - Vendor Notified

##### Resolution #####

Not Avail yet