Skip to content

Export page to PDF
BKDR_ASPROX
Aliases: Danmec, Asprox
Malware type: Backdoor
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
In the wild: Yes

Overview


Infection Channel: Spammed via email, Dropped by other malware, Downloaded from the Internet

DANMEC variants are known to arrive onto a system either by being dropped by other malware or unknowingly downloaded by users when visiting malicious sites. They may arrive as attachments in email messages.

DANMEC variants may also monitor affected systems to steal information such as file names, operating systems, installed programs, and running processes. The gathered data is then sent to a remote malicious user via a specific IP address.

Some DANMEC variants prevent users from accessing specific URLs related to security and antivirus solutions. They may also terminate processes related to security and antivirus applications.

Technical Details

Memory resident: Yes
Payload: Drops files

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspi113210

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr

HKEY_USERS\.DEFAULT\Software\
Microsoft\Sft

Dropping Routine

This backdoor drops the following files:

  • %System%\aspimgr.exe
  • %System%\aspi{random numbers}.exe
  • %User Temp%\_check32.bat
  • %Windows%\db32.txt
  • %Windows%\g32.txt
  • %Windows%\gs32.txt
  • %Windows%\s32.txt
  • %Windows%\ws386.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)


Connect with us on