ASPROX trojan found

system · January 5, 2008, 11:47pm

(imported topic written by BarryWallis91)

We have found this trojan on a machine running BigFix AV. However, neither real-time scanning or an on-demand scan identified this. Is this an issue with BigFix AV?

system · January 6, 2008, 8:34am

(imported comment written by BarryWallis91)

Updated information: It looks like this is a new variant of the ASPROX trojan. Trend Micro has it listed as TROJ_ASPROX.A: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ASPROX.A&VSect=P.

BenKus · January 6, 2008, 11:15pm

(imported comment written by BenKus)

Hi Barry,

eTrust is the engine that powers the BigFix AntiVirus and I spent some time looking through their AV information at http://www.ca.com/us/securityadvisor/default.aspx , but I didn’t find anything that looked like this trojan. This might mean that the eTrust engine doesn’t know about this trojan yet.

We can escalate this issue to eTrust and let you know, but I think it makes sense for you to start a BigFix case so we can track this and communicate with you properly.

Thanks,

Ben

system · January 6, 2008, 11:26pm

(imported comment written by BarryWallis91)

Our desktop engineer has opened a ticket on this with BigFix support. Trend Micro has had definitions for this variant since 12/13/2007: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ASPROX.A&VSect=P

BenKus · December 8, 2011, 9:17pm

(imported comment written by BenKus)

Hey Barry,

Actually, it looks like eTrust does have a definition for this trojan, but it is called DANMEC and it is here: http://www.ca.com/securityadvisor/pest/pest.aspx?id=453112813

However, this trojan is considered Spyware and so it is detected by BigFix AntiSpyware and not BigFix AntiVirus (which explains why you did not see it detected). To remove this trojan and all other spyware, you need to use the AntiPest software.

Until you can get AntiPest in place, I wrote a Fixlet that will detect and remove this particular trojan so you can help deal with this problem now. It is attached to this post (you can only see attachments if you are logged into the forum).

I couldn’t test the Fixlet and I am not sure it will remove every single piece of the trojan so let me know what you find.

Ben

system · January 7, 2008, 1:43am

(imported comment written by BarryWallis91)

Thanks for the quick turn-around on this, it is appreciated. Unfortunately, we may not be able to test this until tomorrow.

system · January 8, 2008, 2:13am

(imported comment written by BarryWallis91)

The Fixlet is great at detecting the infected machines. Unfortunately, we need to do the remediation by hand because it requires booting into Safe Mode.