DANMEC

DANMEC variants are known to arrive onto a system either by being dropped by other malware or unknowingly downloaded by users when visiting malicious sites. They may arrive as attachments in email messages.

DANMEC variants may also monitor affected systems to steal information such as file names, operating systems, installed programs, and running processes. The gathered data is then sent to a remote malicious user via a specific IP address.

Some DANMEC variants prevent users from accessing specific URLs related to security and antivirus solutions. They may also terminate processes related to security and antivirus applications.

Other System Modifications

This Trojan adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Sft

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspi113210

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr

HKEY_USERS\.DEFAULT\Software\
Microsoft\Sft

Dropping Routine

This Trojan drops the following files:

• %System%\aspimgr.exe
• %System%\aspi{random numbers}.exe
• %User Temp%\_check32.bat
• %Windows%\db32.txt
• %Windows%\g32.txt
• %Windows%\gs32.txt
• %Windows%\s32.txt
• %Windows%\ws386.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

NOTES:

It connects to any of the following URLs:

• ns.uk2.net
• www.google.com
• www.yahoo.com