McAfee > Theat Center > Virus Detail Page

Overview

-- Update May 06, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com.au/index.php/id;1723233483;fp;4;fpid;78268965

--

This detection is for a proxy server trojan which upon running on the victim’s machine, may be used as an email relay to route spam messages.

The characteristics of this trojan with regards to file names, ports opened, sites accessed can differ from one version to another, depending on the way in which the attacker had configured it.

Aliases

• Backdoor.Edunet.a [BitDefender]

• Troj/Danmec-W [Sophos]

• Trojan.Asprox [Symantec]

Characteristics

-- Update May 06, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com.au/index.php/id;1723233483;fp;4;fpid;78268965

--

This trojan in dropped by Proxy-Agent.af.dr, which also drops the following other files:

• %Temp%\ _check32.bat [This batch file deletes the original dropper]
• %Windir%\s32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\gs32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\db32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\ws386.ini [Trojan configuration file. Needs to be deleted manually]
• %System%\aspimgr.exe [Trojan file, detected as Proxy-Agent.af.gen]

Note:

• %Temp% is a variable that refers to the windows temp folder. By default, this is "C:\Windows\Temp"
• %System% is a variable that refers to the windows system folder. By default, this is "C:\Windows\System32"
• %Windir%  is a variable that refers to the windows folder. By default, this is "C:\Windows"

The trojan creates the following registry entry:

• Hkey_Local_Machine\System\CurrentControlSet\Services\aspimgr
  Data: Image Path “%Windir%\aspimgr.exe”

This registry entry is used by the trojan to masquerade itself as a legitimate Windows service with a display name “Microsoft ASPI Manager”

It also creates the following registry, probably as an infection marker:

• Hkey_Local_Machine\Software\Microsoft\Sft

The Trojan sends information about the infected machine using an HTTP POST method to the following sites:

• http://64.4.52.189/[Removed]
• http://65.55.129.12/[Removed]
• http://66.7.192.153/[Removed]
• http://66.199.241.98/[Removed]
• http://66.232.102.169/[Removed]
• http://66.199.237.46/[Removed]
• http://203.117.175.124/[Removed]
• http://216.32.85.234/[Removed]
• http://216.150.79.186/[Removed]
• http://216.245.195.34/[Removed]
• http://216.150.79.146/[Removed]

It opens up TCP port 80 on the infected machine to act as a proxy server. 

Apart from this, the Trojan could also open a backdoor port, which it uses to receive instructions from the attacker. Instructions sent could include sending mass emails to a list of pre-defined email addresses

Symptoms

Presence of files and registry entries mentioned earlier

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update May 06, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com.au/index.php/id;1723233483;fp;4;fpid;78268965

--

This detection is for a proxy server trojan which upon running on the victim’s machine, may be used as an email relay to route spam messages.

The characteristics of this trojan with regards to file names, ports opened, sites accessed can differ from one version to another, depending on the way in which the attacker had configured it.

Aliases

• Backdoor.Edunet.a [BitDefender]

• Troj/Danmec-W [Sophos]

• Trojan.Asprox [Symantec]

Characteristics

Characteristics -

-- Update May 06, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com.au/index.php/id;1723233483;fp;4;fpid;78268965

--

This trojan in dropped by Proxy-Agent.af.dr, which also drops the following other files:

• %Temp%\ _check32.bat [This batch file deletes the original dropper]
• %Windir%\s32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\gs32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\db32.txt [Trojan configuration file. Needs to be deleted manually]
• %Windir%\ws386.ini [Trojan configuration file. Needs to be deleted manually]
• %System%\aspimgr.exe [Trojan file, detected as Proxy-Agent.af.gen]

Note:

• %Temp% is a variable that refers to the windows temp folder. By default, this is "C:\Windows\Temp"
• %System% is a variable that refers to the windows system folder. By default, this is "C:\Windows\System32"
• %Windir%  is a variable that refers to the windows folder. By default, this is "C:\Windows"

The trojan creates the following registry entry:

• Hkey_Local_Machine\System\CurrentControlSet\Services\aspimgr
  Data: Image Path “%Windir%\aspimgr.exe”

This registry entry is used by the trojan to masquerade itself as a legitimate Windows service with a display name “Microsoft ASPI Manager”

It also creates the following registry, probably as an infection marker:

• Hkey_Local_Machine\Software\Microsoft\Sft

The Trojan sends information about the infected machine using an HTTP POST method to the following sites:

• http://64.4.52.189/[Removed]
• http://65.55.129.12/[Removed]
• http://66.7.192.153/[Removed]
• http://66.199.241.98/[Removed]
• http://66.232.102.169/[Removed]
• http://66.199.237.46/[Removed]
• http://203.117.175.124/[Removed]
• http://216.32.85.234/[Removed]
• http://216.150.79.186/[Removed]
• http://216.245.195.34/[Removed]
• http://216.150.79.146/[Removed]

It opens up TCP port 80 on the infected machine to act as a proxy server. 

Apart from this, the Trojan could also open a backdoor port, which it uses to receive instructions from the attacker. Instructions sent could include sending mass emails to a list of pre-defined email addresses

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A