SMSC.EXE Virus: Watch out

  • Thread starter Thread starter Frequent Flyer
  • Start date Start date
F

Frequent Flyer

I expect this virus will be everywhere. Norton doesn't recognize it, Mcafee
recognizes it as a SDBOT Gen.O virus, and Kerbersky recognizes it as a
Backdoor.Forbot virus.

I just know it is damn near impossible to get tif of it.

I hope this isn't wide spread across the country tomororw morning.

FF
 
Frequent Flyer said:
I expect this virus will be everywhere. Norton doesn't recognize it, Mcafee
recognizes it as a SDBOT Gen.O virus, and Kerbersky recognizes it as a
Backdoor.Forbot virus.

I just know it is damn near impossible to get tif of it.

I hope this isn't wide spread across the country tomororw morning.

FF
Click to expand...


IS this not an old virus?
 
Nope. It is incorrectly identified as sdbot.o. It has none of the hooks.

Here is the full story on it:


No it is not old. Also, I didn't mention that it has jumped from machine to
machine on my clients LAN. I have them pulled off the corporate WAN for the
moment.


I was setting up a workstation for a client (Win 2k SP4). I had already
installed all the security patches including the MS Sasser fix. My client
then opened up a file of her network drive and it said it was infected with
the old sdbot.gen.O virus. (McAfee Corporate) It then kept saying that
C:/Winnt/system32/SMSC.EXE was infected with the sdbot. I then tried
running stinger, NAV, etc and it didn't recognize the file as a virus. I
managed to delete the file in safe mode and since it was an old virus, I
didn't worry about it too much. However, I did notice it didn't have any of
the hooks for sdbot.

I then got a call from my client about 2 hours later that their workstation
was unusable and extremely slow on the network. I gave him the reboot and
let me know later spiel. However, I had a bad guy instinct that something
bad was happening. I drove back my client site and checked his machine and
sure enough it had the SMSC.EXE virus. The program had disabled McAfee and
wouldn't even allow you run the registry editor. It would start and then
immediately close and this was with an admin account.


I looked up and found a lot of similar worms but none matched. I finally
uploaded the file to the free checker on Kerbersky website. It identified
it as the backdoor.forbot.gen which there is ZERO information for. The date
was listed as being 6-24-04 and the number of instances was 91,000.

I used Kerbersky in safe mode to remove the virus and reboot. The SMSC.EXE
was gone from the active processes but when I checked the registry, it had
reinstalled all the hooks I had removed. I removed them manually and
rebooted. The machine in question appeared to be ok.


I do not know if I removed the virus or fixed the symptoms.
 
Yes, my co-workers computer got this same virus. It wasn't easy to identify.
The Google search engine came up with only a few hits.
It's called WORM_AGOBOT.WF (size 303,616 bytes).
This virus for some reason is not in Symantecs database.

It's in the run services of the registry (run, runonce, run services).
You must open first your task manager (ctrl-alt-del) and kill the process.
Here's the fun part. Open regedit and get to :
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
While doing this, keep that process manager window visible. The smsc.exe
virus will continually try to relauch itself. Kill it as fast as it pops up
otherwise it will shut down regedit. You have to be quick. Delete any
instances of smsc.exe in the registry locations.
After you succeed here. Do a search of you entire hard drive & delete any
files with the name "smsc" in it. Good luck.
 
Back
Top