Submission Summary:

• Submission details:
• Submission received: 20 August 2009, 19:23:17
• Processing time: 5 min 45 sec
• Submitted sample:
• File MD5: 0x476CEFA4CA9EC2E9E9E39D7CF1060432
• File SHA-1: 0x59FA2904E054B21A4623ABF67E5F2285C8959F29
• Filesize: 49,664 bytes
• Alias:
• Trojan.Damnec.Gen [PCTools]
• Trojan.Asprox [Symantec]
• Net-Worm.Win32.Aspxor.ab [Kaspersky Lab]
• Virus.Win32.Agent.GPS [Ikarus]
• Win32/Aspxor.worm.49664 [AhnLab]

• Summary of the findings:

What's been found	Severity Level
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Backdoor.Agent.AJU	Backdoor.Agent.AJU is a malicious backdoor trojan that is capable to run and open random TCP port in a multiple instances attempting to connect to its predefined public SMTP servers. It then spams itself in email with a file attached in zip and password protected format. Furthermore, the password is included in the body of the email.

• Attention! The following threat categories were identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Temp%\_check32.bat	103 bytes	MD5: 0x3AFF9007437E04D852F4B27C455BBBAE SHA-1: 0x5D6723BA70366E8B2652BB00EC67F5764FA1EC6C	(not available)
2	%Windir%\db32.txt	147 bytes	MD5: 0x647B5A7658D9041F5F7D8D55971BA950 SHA-1: 0xA4E3DE8200DD23CCB89651A66C9A3CD098B9B9C2	(not available)
3	%Windir%\s32.txt	85 bytes	MD5: 0xD042AFDD125C643DFBC1B38EAADF7936 SHA-1: 0x8750200C7C1F7699A2C5E55D7438F64766501CE5	(not available)
4	%System%\aspimgr.exe	77,824 bytes	MD5: 0xD85C6DA62224996706063136DCB6D895 SHA-1: 0x47E8CBD33BA8D1D15142CB1E0D632819579DCC2C	Trojan.Damnec.Gen [PCTools] Trojan.Asprox [Symantec] Email-Worm.Win32.Agent.ha [Kaspersky Lab] Proxy-Agent.af.gen [McAfee] Troj/Asprox-Gen [Sophos] Backdoor:Win32/Agent.ACG [Microsoft] Win32.SuspectCrc [Ikarus]
5	[file and pathname of the sample #1]	49,664 bytes	MD5: 0x476CEFA4CA9EC2E9E9E39D7CF1060432 SHA-1: 0x59FA2904E054B21A4623ABF67E5F2285C8959F29	Trojan.Damnec.Gen [PCTools] Trojan.Asprox [Symantec] Net-Worm.Win32.Aspxor.ab [Kaspersky Lab] Virus.Win32.Agent.GPS [Ikarus] Win32/Aspxor.worm.49664 [AhnLab]
6	%Windir%\ws386.ini	12 bytes	MD5: 0xEB88059AF6D5E2B000848840AD6F6023 SHA-1: 0xA3405359551CE55BCCDB260D20738AFC1CBAB67D	(not available)

• Notes:
• %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
• %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
aspimgr.exe	%System%\aspimgr.exe	364,544 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

• There was a new service created in the system:

Service Name	Display Name	Status	Service Filename
aspimgr	Microsoft ASPI Manager	"Running"	%System%\aspimgr.exe

Registry Modifications

• The following Registry Keys were created:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR\0000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Security
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Enum
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft]
• (Default) = "{394ADB28-A788-49AB-81E7-F839CEB5E003}"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "aspimgr"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR\0000]
• Service = "aspimgr"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Microsoft ASPI Manager"
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ASPIMGR]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Enum]
• 0 = "Root\LEGACY_ASPIMGR\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\aspimgr.exe"
• DisplayName = "Microsoft ASPI Manager"
• ObjectName = "LocalSystem"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000\Control]
• *NewlyCreated* = 0x00000000
• ActiveService = "aspimgr"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000]
• Service = "aspimgr"
• Legacy = 0x00000001
• ConfigFlags = 0x00000000
• Class = "LegacyDriver"
• ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
• DeviceDesc = "Microsoft ASPI Manager"
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR]
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum]
• 0 = "Root\LEGACY_ASPIMGR\0000"
• Count = 0x00000001
• NextInstance = 0x00000001
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Security]
• Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr]
• Type = 0x00000010
• Start = 0x00000002
• ErrorControl = 0x00000001
• ImagePath = "%System%\aspimgr.exe"
• DisplayName = "Microsoft ASPI Manager"
• ObjectName = "LocalSystem"

• The following Registry Values were modified:
• [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
• (Default) = 0x0000000C
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
• (Default) = 0x0000000C

Other details

• The following port was open in the system:

• The following Host Names were requested from a host database:
• ns.uk2.net
• www.yahoo.com
• www.web.de
• 66.232.102.169
• 82.103.140.75