Follow:

 

TrojanDropper:Win32/Apptom.A


TrojanDropper:Win32/Apptom.A is a trojan dropper embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

TrojanDropper:Win32/Apptom.A is a trojan dropper embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.
Installation
An attacker creates a malicious Microsoft PowerPoint presentation and sends it as an attachment to a target e-mail address. When the malicious file is viewed on a vulnerable system, it could drop TrojanDropper:Win32/Apptom.A. In the wild, this exploit has been seen in limited and targeted attacks.
 
When viewed, the malicious presentation drops a trojan dropper (TrojanDropper:Win32/Apptom.A) as a file named 'fssm32.exe' that is then run.
 
Payload
Drops Malware
When Win32/Apptom.A is run, it creates another executable into the TEMP folder named '%TEMP%\setup.exe' (TrojanDropper:Win32/Apptom.B) that is executed via a command shell. Win32/Apptom.B drops malware as the following:
 
%ProgramFiles%\Internet Explorer\IEUpd.exe - Trojan:Win32/Cryptrun.A
 
Additional Information
For more information about Exploit:Win32/Apptom.gen and Security Advisory 969136, see the following links:
 
Analysis by Cristian Craioveanu

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %ProgramFiles%\Internet Explorer\IEUpd.exe
Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.55.980.0
Latest detected by definition: 1.55.980.0 and higher
First detected on: Apr 03, 2009
This entry was first published on: Apr 02, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases