Home / malware Exploit:Win32/Apptom.gen
First posted on 07 April 2009.
Source: SecurityHomeAliases :
Exploit:Win32/Apptom.gen is also known as Also Known As:Shellcode.D (Norman).
Explanation :
Exploit:Win32/Apptom.gen is generic detection for an exploit in Microsoft PowerPoint Presentation (.PPS / .PPT) data files. The vulnerability exists in Microsoft Office 2000, XP, 2003 and Mac Office. Opening the exploit on vulnerable systems could install malware onto the local computer.
Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).
Exploit:Win32/Apptom.gen is generic detection for an exploit in Microsoft PowerPoint Presentation (.PPS / .PPT) data files. The vulnerability exists in Microsoft Office 2000, XP, 2003 and Mac Office. Opening the exploit on vulnerable systems could install malware onto the local computer.
Installation
An attacker creates a malicious Microsoft PowerPoint Presentation and sends it as an attachment to a target e-mail address. When the malicious file is viewed on a vulnerable system, it could drop other malware. In the wild, this exploit has been seen in limited and targeted attacks.
Payload
Drops MalwareWhen viewed, the malicious presentation drops a trojan dropper (TrojanDropper:Win32/Apptom.A) as a file named 'fssm32.exe' that is then run. This trojan dropper creates another executable into the TEMP folder named '%TEMP%setup.exe' (TrojanDropper:Win32/Apptom.B) that is executed via a command shell. Win32/Apptom.B drops malware as the following: %ProgramFiles%Internet ExplorerIEUpd.exe - Trojan:Win32/Cryptrun.A Additional InformationFor more information about Exploit:Win32/Apptom.gen and Security Advisory 969136, see the following links:Microsoft Malware Protection Center blog post
http://blogs.technet.com/mmpc/archive/2009/04/02/new-0-day-exploits-using-powerpoint-files.aspxSecurity Advisory 969136
http://www.microsoft.com/technet/security/advisory/969136.mspx
Analysis by Cristian CraioveanuLast update 07 April 2009
