BKDR_ASPROX.B - Description and solution


  • 自分自身がプロキシになるタイプ
  • 自分自身を動作後削除
  • HTTP POST内容をアップロード

Upon execution, this backdoor drops several files, some of which are detected as BKDR_ASPROX.B.

It opens port 80 and acts as an HTTP proxy. It then connects to certain sites, and retrieves the connection time for each.
It then deletes itself after execution.

It uploads specific information to the above-mentioned Web sites, using an HTTP POST command. This backdoor also allows a remote malicious user to perform commands on the affected system.
It also retrieves commands and updates from the said sites, by parsing the HTTP page being returned by the server during upload of stolen information. The returned HTTP page is obfuscated. It searches the registry for FTP hosts, user accounts, and passwords.
It gathers e-mail addresses on affected the system, however those addresses should satisfy certain conditions.