Backdoor.ASP.Ace.jd

From Total Malware Info

The program is designed for testing a web server running on the user's computer for vulnerabilities, as well as stealing confidential information. It is HTML-page that uses ASP (Active Server Pages) technology, contains Java Script scenarios, and Visual Basic Script. It is 140205 bytes in size.

md5: CD3CF4FC6E5404010F0D089FB6628A04

sha1: 829D6EBE574A1894D42BDEB0F0F24913CD366D86

Payload

The program consists of a set of backdoors using different vulnerabilities to access a user's computer, as well as to obtain confidential information. It is designed to test a web server on a user’s computer.

Once launched, the program displays a window with different settings where it is possible to select one of the following items:

1. login

2. PageList

3. objOnSrv

4. ServiceList

5. userList

6. CSInfo

7. infoAboutSrv

8. AppFileExplorer

9. WsCmdRun

10. FsoFileExplorer

11. OtherTools

12. TxtSearcher

13. PageAddToMdb

At the same time it is necessary to select the first item and enter the password "SPMSPM".

Then a user can perform the following actions and receive the following information about a web server.

1. Function for enter the password.

2. Displaying a list of functions that can be used with this program;

3. Displaying information about the components available on a web server;

4. Receiving information about services that are running on a user’s computer (a service name, a path, a description, startup parameters, a status, a type of service) using Password Never Expires (WinNT Provider);

5. Displaying information about computer accounts (a user name, a password, an account type, a date of last login, etc.)

6. Displaying data from containers Application, Session and Cookie web server;

7. Obtaining information about a web server:

• a server name;
• IP address of a server;
• a used port;
• HTTP software used on a server;
• a full path to a server;
• current server time;
• a number of processors;
• information about a processor and operating system.

Information about logic drives of a web server:

• a volume name;
• a type of file system;
• an amount of free space;
• total space;
• a type of logical drive.

Information about a folder where web server’s files are located:

• a size;
• a size of directories and subdirectories;
• a creation date;
• a last access date;

Information about a server of terminals:

• a port number used by default for all new terminals created by a server;
• if automatic log on is used on a user’s computer, it gets a user name and password by reading the following system registry key:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName" 
"DefaultPassword" 

8. Using objects "adodb.stream" and "Shell.Application":

• reading and saving contents of files with a URL, referred by the user;
• appending a user input;
• downloading and storing files with a URL, referred by a user;
• copying and moving files and directories;
• renaming files and directories;
• displaying attributes of files or folders, and setting attributes (hidden, system, read only, archive, without attributes, the data are not available, temporary, compressed state file, encrypted file, sparse file attribute);
• sending files to an address specified by a user;
• modifying contents of files;

9. Executing commands using a command line (cmd.exe);

10. Using Scripting.FileSystemObject ActiveX component:

• creating files;
• editing or displaying contents of files;
• appending a user input;
• accessing resources introduced by a user;
• copying and moving files and directories;
• renaming files;
• deleting files;
• displaying attributes of files or directories, and setting attributes (hidden, system, read only, archive, without attributes, data are not available, temporary, compressed file, encrypted file, sparse file);
• performing file uploads or sending files using an object "adodb.stream", downloading or sending locations specified by a user.

11. Using "Microsoft.XMLHTTP" the ActiveX object to perform file downloading and saving it on a computer using the object "ADODB.Stream". A downloading link and a saving name is specified by a user.

12. Using Password Never Expires (WinNT Provider) to create a user's computer account of the type "Administrator". An account name and a password are specified by a user.

13. Showing contents of registry keys entered by a user.

14. Searching files containing a typed text;

If an action execution is failed or information is not obtained, a program displays error messages.

15. Checking a possibility of using "ADODB.RecordSet", "ADODB.Stream", "ADODB.Connection" and "ADOX.Catalog" to create a database on a server that stores the file "idTop.mdb". Also the trojan examines a possibility of recording data in a database.

In case of action fail, it displays a corresponding error.

In addition, the trojan checks for an opportunity to work with databases:

• displaying a list of database tables;
• editing a table;
• deleting a table contents;
• editing a table field;
• saving a table field;
• deleting fields in a table;
• displaying a list of records;
• editing records;
• adding a record;
• updating a record;
• deleting a record;
• displaying a list of stored procedures;
• editing stored procedures;
• deleting stored procedures;
• displaying information about SQL view in a current database;
• modifying existed SQL view;
• displaying information about SQL view in a current database, pointing at what tables they are based - on local or remote ones;
• deleting SQL view of a current database;
• displaying information about a current database;
• sending a variety of SQL queries.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Delete the original malicious file (the location on the infected computer will depend on how the program originally penetrated the victim machine).

2. Clear the Temporary Internet Files directory, which may contain infected files.

3. Perform a full system scan with an antivirus with updated databases.