Aspimgr.exe: Are You Infected?

Aspimgr.exe or Microsoft ASPI Manager is a Trojan, also known as TROJ_ASPROX.A [Trend]. It was first discovered on June 8, 2007. The Trojan may affect the Windows 95, 98, NT, ME, 2000, XP and Server 2003 computers. After infecting a PC, this Trojan horse uses the infected computer as a proxy server.

Many users are usually unaware that they are infected with this Trojan because it lists itself as Microsoft Corporation; ; 5.1.2600.0 (xpclient.010817-1148) and Microsoft Corporation; Microsoft ASPI Manager; 5.1.2600.0 (xpclient.010817-1148) as the purported vendor, product and version information. Most computer users would not consider anything from Microsoft as being a threat to their computer’s security.

Many believe that the Trojan originated from the Russian Federation, but no clear information exists as to the source. The malware has been observed in the European Union, the United Arab Emirates, Spain and Taiwan.

Aspimgr.exe Trojan File Information

The Trojan file is usually added to the C:\Windows\system32\aspimgr.exe folder. The file is usually found in 40,960 bytes and 61,440 bytes sizes.

How Aspimgr.exe Infects A PC

When the Trojan executes on your PC, it adds the following files:

• C:\Windows\system32\aspimgr.exe
• C:\Windows\s32.txt
• C:\Windows\db32.txt
• C:\Windows\g32.txt
• C:\Windows\gs32.txt
• C:\Windows\ws386.ini
• %Temp%\_check32.bat

The following registry entries are added:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft

Next, the infection opens a proxy server on TCP port 80 or 82. Aspimgr.exe communicates through HTTP protocols with other computers and uses these TCP ports to communicate. The TCP port acts like a listening post to emails that are sent using SMTP protocols. The port can also be commanded to execute a process, remove other disk processes, and create other processes on the disk.

Aspimgr.exe also registers itself as a Dynamic Link Library (dll) file and can perform Process Hijacking. This involves writing to the virtual memory of other processes and also uses DNS to retrieve the IP addresses of websites. The file can also enable In Process Object/Server which is usual for DLL injections.

The Trojan is known to make changes to Windows initialization and system settings used at system startup. Aspimgr.exe may also be packed and or encrypted using a software packing process.

Symantec assesses the threat level as low. This may be because the damage level is also considered low. Low levels of damage may translate to easy repair of the damage caused.

Symantec also considers removal of this Trojan as easy.

How to Remove Aspimgr.exe Infections

Perform the following steps to get rid of the aspimger.exe Trojan:

1. Disable System Restore by performing the following steps:
   1. Right-click My Computer and then select Properties.
   2. In the System Properties dialog box, display the System Restore tab.
   3. Select the Turn off System Restore or Turn off System Restore on all drives check box.

   By default, System Restore is enabled on your PC, and is used to take snapshots of your system files and configuration information. If your PC is infected with a virus, System Restore may backup virus files too. When you scan your PC using an antivirus utility it cannot remove infections from System Restore snapshots and the chances of your PC getting infected again are quite high.

2. Next, update your antivirus tool with the latest definitions.
3. Use the updated antivirus tool to run a full system scan of your PC and remove all infections. You may run the scan twice to ensure nothing is missed.
4. Open the Registry Editor tool by running the regedit command, and then delete the following registry entries:
   1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
   2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft

It is also recommended that you use a reliable registry cleaner tool, such as RegGenie, to weed out any left behind malicious registry entries to ensure complete Trojan removal.