Details
This Trojan provides a remote malicious user with access to the victim machine. It is a Windows PE EXE file. It is 48640 bytes in size. It is packed using UPX. The unpacked file is approximately 360KB in size.
Installation
The Trojan extracts the following file from its body:
%System%\aspimgr.exe
This file is 73728 bytes in size. Kaspersky Anti-Virus does not detect this file as malicious.
The original file will then be deleted.
The backdoor creates a service called "Microsoft ASPI Manager" which ensures the backdoor executable file will be launched each time the victim machine is restarted.
The Trojan launches a HTTP proxy server on the victim machine on TCP port 80. It then sends notification that the victim machine has been infected to the addresses shown below:
66.199.241.98
82.103.140.75
203.117.175.124
72.21.63.114
66.232.102.169
66.96.196.53
It does this by sending HTTP requests. Once infected, the victim machine becomes part of a zombie network and can be used to send spam or to conduct DoS attacks.
The backdoor creates the following log files:
%WinDir%\ws386.ini
%WinDir%\db32.txt
%WinDir%\s32.txt
%WinDir%\f32.txt
It creates the following registry key:
[HKLM\SOFTWARE\Microsoft\Sft]
and saves its configuration to this key.
Removal Guide
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
1. Use Task Manager to terminate the malicious process
2. Delete the following registry key:
[HKLM\SOFTWARE\Microsoft\Sft]
3. Delete the "Microsoft ASPI Manager" service.
4. Delete the following files:
%WinDir%\ws386.ini
%WinDir%\db32.txt
%WinDir%\s32.txt
%WinDir%\f32.txt
%System%\aspimgr.exe
Tips about How to Choose Computer
Check Out
http://choosingcomputer.blogspot.com
No comments:
Post a Comment