McAfee > Theat Center > Virus Detail Page

Overview

-- Update May 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/

--

This detection is for a trojan upon execution will search Google for .asp pages and attempts to compromise websites by launching a SQL injection attack. This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

 

Aliases

• Trojan:Win32/Danmec.gen!A (Microsoft)

Characteristics

-- Update May 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/

--

This detection is for a trojan upon execution will search Google for .asp pages and attempts to compromise websites by launching a SQL injection attack. This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

The trojan is designed to inject script/iframe pointing to dir[blocked]84.com which will force visitors to download the malicious script everytime the page loads.

The trojan creates an entry with the display name “Microsoft Security Center Extension” with the intention of masquerading itself as a legitimate Windows service.

The Trojan sends information about the infected machine via HTTP POST to the following sites:

• http://66.199.241.98/[blocked]
• http://82.103.140.75/[blocked]
• http://72.21.63.114/[blocked]
• http://66.232.102.169/[blocked]
• http://66.96.196.53/[blocked]
  

 

Symptoms

• Existence of the Windows Service entry described above.
•  Outgoing HTTP traffic to the domains mentioned above.

Method of Infection

This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update May 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/

--

This detection is for a trojan upon execution will search Google for .asp pages and attempts to compromise websites by launching a SQL injection attack. This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

 

Aliases

• Trojan:Win32/Danmec.gen!A (Microsoft)

Characteristics

Characteristics -

-- Update May 15, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2008/05/14/asprox_attacks_websites/

--

This detection is for a trojan upon execution will search Google for .asp pages and attempts to compromise websites by launching a SQL injection attack. This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

The trojan is designed to inject script/iframe pointing to dir[blocked]84.com which will force visitors to download the malicious script everytime the page loads.

The trojan creates an entry with the display name “Microsoft Security Center Extension” with the intention of masquerading itself as a legitimate Windows service.

The Trojan sends information about the infected machine via HTTP POST to the following sites:

• http://66.199.241.98/[blocked]
• http://82.103.140.75/[blocked]
• http://72.21.63.114/[blocked]
• http://66.232.102.169/[blocked]
• http://66.96.196.53/[blocked]
  

 

Symptoms

Symptoms -

• Existence of the Windows Service entry described above.
•  Outgoing HTTP traffic to the domains mentioned above.

Method of Infection

Method of Infection -

This trojan is downloaded by Proxy-Agent.af.gen which could also open a backdoor port used to receive instructions from the attacker.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A