1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Asprox.B

System Infected: Trojan.Asprox.B

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.Asprox activity on compromised machine.

Additional Information

When the Trojan is executed, it creates the following files:

%System%\aspimgr.exe
%Windir%\s32.txt
%Windir%\db32.txt
%Windir%\g32.txt
%Windir%\gs32.txt
%Windir%\ws386.ini
%Temp%\_check32.bat



Next, the Trojan creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft

The program then opens a proxy server on one of the following ports:

TCP port 80
TCP port 82



It then sends HTTP requests to the following locations:

[http://]www.yahoo.com
[http://]www.web.de
[http://]ns.uk2.net
[http://]208.109.50.117/foru[REMOVED]
[http://]208.109.51.140/foru[REMOVED]
[http://]216.69.164.173/foru[REMOVED]
[http://]74.52.72.58/foru[REMOVED]
[http://]216.40.204.106/foru[REMOVED]

Affected

  • Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube