Follow:

 

Backdoor:ASP/Aspy.A


Backdoor:ASP/Aspy.A is a backdoor trojan, written in ASP.Net, that allows unauthorized remote access and control of an affected computer or server.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

 

Threat behavior

Backdoor:ASP/Aspy.A is a backdoor trojan, written in ASP.Net, that allows unauthorized remote access and control of an affected computer or server.

Installation

Backdoor:ASP/Aspy.A may be present on a compromised host as a file with .ASP file extension and stored in a directory containing web pages to allow to a remote attacker via a web browser and Internet connection. The following file names are examples of the trojan as found in the wild:

  • action_refresh.aspx
  • pw.aspx
  • plugins.aspx
  • legion.aspx;jpg
  • cmd.aspx
  • iskox.aspx
  • css.aspx
  • ASPXspy2.aspx

When the trojan page is accessed, it requests a logon to gain access to a control session. The default password for the trojan is 'admin'.

Payload

Allows unauthorized remote access and control
Once logged in, the trojan could provide the following functionality against a compromised computer or server:

  • File management - this includes download, upload, edit, copy, rename, delete files
  • Directory management - this includes create, rename and delete directories
  • Execute any command through cmd.exe
  • Extract IIS user credentials
  • List processes and services
  • List detailed information of users and system configuration (includes domain, IP, OS version, CPU etc.)
  • File search and replace
  • Serv-U privilege escalation exploit
  • list registry keys and values
  • port scanner
  • MSSQL and Microsoft Access database access
  • TCP port redirection

Analysis by Shawn Wang


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

 

Prevention


Alert level: Severe
First detected by definition: 1.87.1686.0
Latest detected by definition: 1.87.1686.0 and higher
First detected on: Aug 11, 2010
This entry was first published on: Aug 20, 2010
This entry was updated on: Sep 13, 2011

This threat is also detected as:
  • ASP/Agent.NAB.Gen trojan (ESET)
  • Backdoor.ASP.Aspy (Ikarus)
  • IIS/BackDoor-ASP (McAfee)
  • Backdoor.ASP.Rootkit.d (BitDefender)
  • Backdoor.ASP.Akspy.c (Kaspersky)
  • ASP/BackDoor.gen (McAfee)
  • Troj/ASP-F (Sophos)