SMSX.EXE - DoS Trojan

Eden Akhavi eden.akhavi at ltt.com
Mon May 12 15:00:59 UTC 2003


This may be a little OT, but we had some complaints from our customers
who complained about saturated connections. We tracked it down to being
a trojan (smsx.exe) that was sitting in their system32 directory.

I stripped some of the ASCII from the file:

PUSH <target> <port> <secs>   = A push flooder
 t& NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
 ¶    NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
 ¶    NOTICE %s :MCON <target> <port> <num> <secs> <holdtime>   = A
connectbomb flooder
 ¶    ¼'    NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> =
dumps the evilbufs to a port
 ´&    NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> =
connects to irc and dumps the evilbufs
 NOTICE %s :NICK <nick>                   =
Changes the nick of the client
 NOTICE %s :DISABLE <pass>                =
Disables all packeting from this client


The program connects to sd.ubersource.net (218.145.53.103) port 6667
(IRC) joins a channel called #REDARMY password :kalashnikov. And there
it seems to wait for comments like PUSH TCP UDP as above.

I am not sure of the delivery mechanism to get it onto the customers PC
but it is certainly an issue. We have blocked access to
sd.ubersource.net for now to see if the problems disappear.

Regards



Eden




More information about the NANOG mailing list