|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical SMSX.EXE - DoS Trojan
This may be a little OT, but we had some complaints from our customers who complained about saturated connections. We tracked it down to being a trojan (smsx.exe) that was sitting in their system32 directory. I stripped some of the ASCII from the file: PUSH <target> <port> <secs> = A push flooder ��t& NOTICE %s :TCP <target> <port> <secs> = A syn flooder �� NOTICE %s :UDP <target> <port> <secs> = A udp flooder �� NOTICE %s :MCON <target> <port> <num> <secs> <holdtime> = A connectbomb flooder �� ��' NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> = dumps the evilbufs to a port ���& NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> = connects to irc and dumps the evilbufs ����������������������������NOTICE %s :NICK <nick> = Changes the nick of the client ���������������������NOTICE %s :DISABLE <pass> = Disables all packeting from this client The program connects to sd.ubersource.net (218.145.53.103) port 6667 (IRC) joins a channel called #REDARMY password :kalashnikov. And there it seems to wait for comments like PUSH TCP UDP as above. I am not sure of the delivery mechanism to get it onto the customers PC but it is certainly an issue. We have blocked access to sd.ubersource.net for now to see if the problems disappear. Regards Eden
|