Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

BKDR_ASPROX


ALIASES:

Danmec, Asprox

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Backdoor

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Spammed via email, Dropped by other malware, Downloaded from the Internet


DANMEC variants are known to arrive onto a system either by being dropped by other malware or unknowingly downloaded by users when visiting malicious sites. They may arrive as attachments in email messages.

DANMEC variants may also monitor affected systems to steal information such as file names, operating systems, installed programs, and running processes. The gathered data is then sent to a remote malicious user via a specific IP address.

Some DANMEC variants prevent users from accessing specific URLs related to security and antivirus solutions. They may also terminate processes related to security and antivirus applications.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Drops files

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspi113210

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr

HKEY_USERS\.DEFAULT\Software\
Microsoft\Sft

Dropping Routine

This backdoor drops the following files:

  • %System%\aspimgr.exe
  • %System%\aspi{random numbers}.exe
  • %User Temp%\_check32.bat
  • %Windows%\db32.txt
  • %Windows%\g32.txt
  • %Windows%\gs32.txt
  • %Windows%\s32.txt
  • %Windows%\ws386.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Windows% is the Windows folder, which is usually C:\Windows.)

Featured Stories

Connect with us on