TSPY_ASPROX
Danmec, Asprox
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
DANMEC variants are known to arrive onto a system either by being dropped by other malware or unknowingly downloaded by users when visiting malicious sites. They may arrive as attachments in email messages.
DANMEC variants may also monitor affected systems to steal information such as file names, operating systems, installed programs, and running processes. The gathered data is then sent to a remote malicious user via a specific IP address.
Some DANMEC variants prevent users from accessing specific URLs related to security and antivirus solutions. They may also terminate processes related to security and antivirus applications.
TECHNICAL DETAILS
Other System Modifications
This spyware adds the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\
Sft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Sft
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspi113210
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr
HKEY_USERS\.DEFAULT\Software\
Microsoft\Sft
Dropping Routine
This spyware drops the following files:
- %System%\aspimgr.exe
- %System%\aspi{random numbers}.exe
- %User Temp%\_check32.bat
- %Windows%\db32.txt
- %Windows%\g32.txt
- %Windows%\gs32.txt
- %Windows%\s32.txt
- %Windows%\ws386.ini
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)