W32.Asper


Aliases: W32/Asper, W32/Asper-B, Win32.Asper.B, Win32.HLLW.Asper, Win32:HLL-Asperg-118272
Variants: Troj/Agent-EFP, HLLW/Asperg.118272, Win32.HLLW.Asperg.118272, Virus.Win32.HLLW.Asperg.118272, Asperg.118272

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 02 Feb 2002
Damage: Medium

Characteristics: The main characteristic of the W32.Asper malware is that it makes use of a documentation that is treated with an XOR encryption algorithm. This encrypted document is commonly embedded within the codes of the malware to minimize the risk of detection.

More details about W32.Asper

Consistent with the characteristic of most Trojan Horse malware variants, the W32.Asper attempts to present itself as a legitimate file to conceal its real purpose of damaging the computer system. During the execution of this malware, it will attempt to download its encrypted file into the TEMP folder of the Windows directory. This encrypted file serves as the trigger for the malware. Once the file is successfully transferred to the host computer system, it will automatically be opened using the Microsoft Word application. This is meant to mislead the user into thinking that it is a simple Word document. This Word document itself however is not infected but in the background, the W32.Asper program is simultaneously copying an instance of itself into the System folder of the Windows directory. The created instance of itself makes use of a random filename but would normally carry the EXE file extension.

Accordingly, a random key is generated in a certain location of the Windows Registry. This is meant to institutionalize the infection allowing the W32.Asper program to launch at each system restart or boot up. The malware also creates the Syscall32.vxd which is a four byte sized file that is intended to mark an infected computer system. When all of these routines are completed by the W32.Asper program, it will then deliver its final payload by using the Deltree command to attempt to delete all the contents stored in the hard drive of the infected computer system.