Follow:

 

Trojan:Win32/Cryptrun.A


Trojan:Win32/Cryptrun.A is a trojan embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:Win32/Cryptrun.A is a trojan embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.
Installation
An attacker creates a malicious Microsoft PowerPoint presentation and sends it as an attachment to a target e-mail address. When the malicious file is viewed on a vulnerable system, it could drop embedded malware. In the wild, this exploit has been seen in limited and targeted attacks.
 
When viewed, the malicious presentation appears normal as in the following example screen shot:
 
 
Meanwhile, the malicious presentation drops a trojan dropper (TrojanDropper:Win32/Apptom.A) as a file named 'fssm32.exe' that is then run. This trojan dropper creates another executable into the TEMP folder named '%TEMP%\setup.exe' (TrojanDropper:Win32/Apptom.B) that is also executed via a command shell. Additional files are dropped as the following:
 
%ProgramFiles%\Internet Explorer\IEUpd.exe - Trojan:Win32/Cryptrun.A
%ProgramFiles%\Internet Explorer\iexplore.hlp - encrypted binary
 
Payload
Runs dropped executable code
Trojan:Win32/Cryptrun.A decrypts and executes the encrypted payload dropped as the component 'iexplore.hlp'. The payload could be any action - Trojan:Win32/Cryptrun.A looks for the presence of "iexplore.hlp", decrypts it using strong cryptographic algorithms and runs the decrypted code.
 
Analysis by Cristian Craioveanu

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.55.980.0
Latest detected by definition: 1.161.1182.0 and higher
First detected on: Apr 03, 2009
This entry was first published on: Apr 02, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Agent.45056.ADY (AhnLab)
  • Exploit.CJX (AVG)
  • Win32/Dcryptexe.A (CA)
  • Exploit.Win32.Servu.ab (Kaspersky)
  • Muster.c (McAfee)
  • Trj/ServU.GM (Panda)
  • Exploit.Servu.X (Sophos)