This backdoor may be dropped by other malware. It may be downloaded unknowingly by a user when visiting malicious Web sites.
Upon execution, this backdoor drops several files, some of which are detected as BKDR_ASPROX.B.
It creates a registry entry to enable the automatic execution of its dropped malicious file.
This backdoor opens port 80 and acts as an HTTP proxy. It then connects to certain sites, and retrieves the connection time for each.
It then deletes itself after execution.
It uploads specific information to the above-mentioned Web sites, using an HTTP POST command. This backdoor also allows a remote malicious user to perform commands on the affected system. It also retrieves commands and updates from the said sites, by parsing the HTTP page being returned by the server during upload of stolen information. The returned HTTP page is obfuscated. It searches the registry for FTP hosts, user accounts, and passwords.
It gathers e-mail addresses on affected the system, however those addresses should satisfy certain conditions.
More...