Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed the trojan drops in folder %system% the following file:

aspimgr.exe (69632 B)

The trojan registers itself as a system service using the following name:

Microsoft ASPI Manager

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000\Control]
"NewlyCreated" = 0
"ActiveService" = "aspimgr"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR\0000]
"Service" = "aspimgr"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"DeviceDesc" = "Microsoft ASPI Manager"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASPIMGR]
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr\Enum]
"0" = "Root\LEGACY_ASPIMGR\0000"
"Count" = 1
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr]
"Type" = 16
"Start" = 2
"ErrorControl" = 1
"ImagePath" = "%system%\aspimgr.exe"
"DisplayName" = "Microsoft ASPI Manager"
"ObjectName" = "LocalSystem"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft]

 

Spam distribution
Win32/Agent.NEQ is a trojan that is used for spam distribution. The trojan is sent data and commands from a remote computer or the Internet.

The trojan gathers e-mail addresses from all local files. Addresses containing the following strings are avoided:

.dll
.hlp
abuse
accoun
admin
anyone
apache.org
arachnoid
bsd
bugs
-bugs
ca.com
caube
cauce
cauce.org
certific
-certs
ci.el-paso.tx.us
cloudmark.com
digsigtrust
e-trust
example
fraud
gold-certs
google
help
ht.ht
icrosof
linux
listserv
mailwasher
majordomo
me
messagelabs
mydomai
nobody
nodomai
noone
not
nothing
page
paulgraham.com
phishing
postmaster
privacy
rating
root
rx.t-online
samples
secur
service
site
soft
somebody
someone
spam
spm
submit
support
symantec
thawte
the.bat
unix
valicert
verisign
verisign.com
webmaster
webroot.com
www
you
your


Other information

The trojan opens TCP port 80.

The trojan creates the following files:

%windir%\ws386.ini

%windir%\s32.txt

%windir%\g32.txt

%windir%\gs32.txt

%windir%\db32.txt

%windir%\lg32.txt

%temp%\%variable%.tmp

%temp%\_check32.bat

%variable% stands for a random text. The trojan contains a list of 5 URLs.