Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: smsx.exe?
From: <eden.akhavi () ltt com>
Date: 12 May 2003 14:56:28 -0000
In-Reply-To: <5.2.0.9.0.20030505174924.035bfa88 () mail webcoach com>


smsx.exe is not the Microsoft SMS product, it is probably this:
http://www.superbank.ru/sms/

If you look at the bottom of the features page of this product, it is 
designed to send lots of SMS messages to hand help devices.
http://www.superbank.ru/sms/SMSexpress.htm

Your would be attacker is trying to get your machine to download software 
to send short messages to hand held devices. I have received a couple 
pieces of spam on my cell phone lately, so I am sensitive to this. Your 
would-be attacker's motives may be different.


We had some complaints from our customers who complained about saturated 
connections. We tracked it down to being a trojan (smsx.exe) that was 
sitting in their system32 directory.

I stripped some of the ASCII from the file:

PUSH <target> <port> <secs>   = A push flooder
 t& NOTICE %s :TCP <target> <port> <secs>    = A syn flooder
 ¶    NOTICE %s :UDP <target> <port> <secs>    = A udp flooder
 ¶    NOTICE %s :MCON <target> <port> <num> <secs> <holdtime>   = A 
connectbomb flooder
 ¶    ¼'    NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> = 
dumps the evilbufs to a port
 ´&    NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> = 
connects to irc and dumps the evilbufs
 NOTICE %s :NICK <nick>                   = 
Changes the nick of the client
 NOTICE %s :DISABLE <pass>                = Disables 
all packeting from this client


The program connects to sd.ubersource.net (218.145.53.103) port 6667 (IRC) 
joins a channel called #REDARMY password :kalashnikov. And there it seems 
to wait for comments like PUSH TCP UDP as above.

I am not sure of the delivery mechanism to get it onto the customers PC 
but it is certainly an issue. We have blocked access to sd.ubersource.net 
for now to see if the problems disappear.

Regards



Eden

----------------------------------------------------------------------------
DROP NETWORK ATTACKS BEFORE THEY BEGIN FREE WHITE PAPER: Learn about a uniqueintrusion prevention solution that 
identifies and drops malicious
traffic before it hits the network. Download, "Intrusion Detection and 
Prevention" at:

http://www.securityfocus.com/NetScreen-focus-ids
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
  • smsx.exe? Steve Bromwich (May 05)
    • <Possible follow-ups>
    • RE: smsx.exe? Altheide, Cory B. (May 05)
    • Re: smsx.exe? eden.akhavi (May 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]