Trojan:Win32/Cryptrun.A is a trojan embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.
An attacker creates a malicious Microsoft PowerPoint presentation and sends it as an attachment to a target e-mail address. When the malicious file is viewed on a vulnerable system, it could drop embedded malware. In the wild, this exploit has been seen in limited and targeted attacks.
When viewed, the malicious presentation appears normal as in the following example screen shot:
Meanwhile, the malicious presentation drops a trojan dropper (TrojanDropper:Win32/Apptom.A
) as a file named 'fssm32.exe
' that is then run. This trojan dropper creates another executable into the TEMP folder named '%TEMP%\setup.exe
) that is also executed via a command shell. Additional files are dropped as the following:
%ProgramFiles%\Internet Explorer\IEUpd.exe - Trojan:Win32/Cryptrun.A
%ProgramFiles%\Internet Explorer\iexplore.hlp - encrypted binary
Runs dropped executable code
Trojan:Win32/Cryptrun.A decrypts and executes the encrypted payload dropped as the component 'iexplore.hlp'. The payload could be any action - Trojan:Win32/Cryptrun.A looks for the presence of "iexplore.hlp", decrypts it using strong cryptographic algorithms and runs the decrypted code.
Analysis by Cristian Craioveanu
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).