smsc.exe new sasser or gaobot variant?

  • Thread starter Thread starter pc user
  • Start date Start date
P

pc user

There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?
 
There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?
Click to expand...

Which av scanners have you tried? Upload the file to KAV and see what
it has to say:

http://www.kaspersky.com/remoteviruschk.html

Have you submitted the file to any av vendors for analysis?


Art
http://www.epix.net/~artnpeg
 
pc user said:
There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?
Click to expand...

The best way to tell, is to use a scanner on it. If none of them
detect anything, submit it to your choice of vendor for further
scrutiny.

Such listings of application's processes to kill are becoming very common
to many types of malware these days.
 
Which av scanners have you tried? Upload the file to KAV and see what
it has to say:

http://www.kaspersky.com/remoteviruschk.html

Have you submitted the file to any av vendors for analysis?


Art
http://www.epix.net/~artnpeg
Click to expand...

I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean, and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.
 
pc user said:
I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean,
Click to expand...

No AV scanner can rightfully make that assertion, perhaps it only
said nothing was found.
and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.
Click to expand...

If it's the one I think it is, it is capable of using many vectors and exploits
to distribute itself.
 
I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean, and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.
Click to expand...

Look for files called "c.bat" and ".pif" in the system32 folder. Do
you have a DSL connection? I recently helped a friend format his hard
drive, install XP, update to SP1 and then we found this virus on his
computer. Have no idea where it came from unless it snuck in through
the DSL.
 
Look for files called "c.bat" and ".pif" in the system32 folder. Do
you have a DSL connection? I recently helped a friend format his hard
drive, install XP, update to SP1 and then we found this virus on his
computer. Have no idea where it came from unless it snuck in through
the DSL.
Click to expand...

You need to have your firewall enabled before you connect the
internet cable to the computer:

Enabling the Internet Connection Firewall (XP)
http://support.microsoft.com/default.aspx?scid=kb;en-us;283673

Windows XP: Surviving the First Day:
http://www.sans.org/rr/papers/index.php?id=1298

CERT/CC: Tech Tip: Before Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

A virus or backdoor can be on your computer in 30 sec.
 
Back
Top