BackDoor-CRX Trojan provides remote access capabilities to an attacker by opening a backdoor on the compromised machine.

This Trojan pretends to be an Acrobat install program with the file name "Acrobat.exe" and the fake icon. When the Trojan is executed on the victim machine, the fake error messagebox is displayed.

The following URL is accessed by the backdoor:


http://124.217.{removed}.118/NNN/parse.php

It drops the following dll file and injects into Explorer.exe.

%Sysdir%\acrobat.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINNT\SYSTEM32)

More information can be found at this McAfee page.