Home / malwarePDF  

Trojan:Win32/Cryptrun.A


First posted on 07 April 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Cryptrun.A.

Explanation :



Trojan:Win32/Cryptrun.A is a trojan embedded within an exploit in Microsoft PowerPoint (.PPS / .PPT) data files identified as Exploit:Win32/Apptom.gen. The exploit could execute on vulnerability systems using Microsoft Office 2000, XP, 2003 and Mac Office.

Installation
An attacker creates a malicious Microsoft PowerPoint presentation and sends it as an attachment to a target e-mail address. When the malicious file is viewed on a vulnerable system, it could drop embedded malware. In the wild, this exploit has been seen in limited and targeted attacks. When viewed, the malicious presentation drops a trojan dropper (TrojanDropper:Win32/Apptom.A) as a file named 'fssm32.exe' that is then run. This trojan dropper creates another executable into the TEMP folder named '%TEMP%setup.exe' (TrojanDropper:Win32/Apptom.B) that is also executed via a command shell. Additional files are dropped as the following: %ProgramFiles%Internet ExplorerIEUpd.exe - Trojan:Win32/Cryptrun.A%ProgramFiles%Internet Exploreriexplore.hlp - encrypted binary

Payload
Runs Dropped MalwareTrojan:Win32/Cryptrun.A decrypts and executes the encrypted payload dropped as the component 'iexplore.hlp'. More information will be posted soon.

Analysis by Cristian Craioveanu

Last update 07 April 2009

 

TOP