Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, August 29, 2011

Smsc.exe

Found 1 infected file!
----------------------
C:\WINDOWS\system32\smsc.exe --> Trojan.Generic.6343817
  --> HKLM\System\ControlSet001\services\PrtSmanm
Source
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP

High
High

Description:
To propagate, this worm exploits the Windows LSASS flaw, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
It also has backdoor capabilities. It acts as an IRC bot that connects to a certain IRC server, and joins a specific channel using a random nickname. It monitors and then responds to private messages, usually from a malicious user, by employing specific keyword triggers. It enables the remote user to do the following:
  • Get system information
  • Delete shared drives
  • Manipulate IRC privileges
  • Upload/download files
  • Scan open ports
  • Execute file
To ensure its survival, it terminates several antivirus processes from memory.
This worm also attempts to steal the CD keys of popular game applications.
Important: This FSG-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.
 ------
Solution:

AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use Trend Micro Damage Cleanup Engine and Template.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_SDBOT.FO.
Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micros free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.
  1. Open Windows Task Manager.
    On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Runservices
  5. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Runonce
  7. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  9. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  10. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Runservices
  11. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  12. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Runonce
  13. In the right panel, locate and delete the entry:
    Win32 USB2 Driver="smsc.exe"
  14. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system. Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_SDBOT.FO. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.
APPLYING PATCHES
Download the latest patches. Information on the vulnerability exploited by this malware and corresponding patch can be found at the following link:


=================
Source
1. End smsc.exe in your processes (DO this first because this worm will prevent you from using regedit.exe and msconfig.exe)
2. Delete smsc*.* from c:\windows\prefech
3. Delete smsc.exe from c:\windows\system32
4. Delete c:\windows\driver cache\i386\Drivers.cab (this file has been infected)
5. Use msconfig.exe to uncheck smsc.exe from startup.
This should do it. 
=================
Source
This program is associated with a virus or worm. If you do a Goggle search
you will come up with several links. Probably why you cannot access McAfee.
If you are a novice and cannot follow these steps:
1. End smsc.exe in your processes (DO this first because this worm will
prevent you from using regedit.exe and msconfig.exe)
2. Delete smsc*.* from c:\windows\prefech
3. Delete smsc.exe from c:\windows\system32
4. Delete c:\windows\driver cache\i386\Drivers.cab (this file has been
infected)
5. Use msconfig.exe to uncheck smsc.exe from startup.
Then you may want to post a hijack log at one of the forums for expert
advice
Download HijackThis > http://www.aumha.org/a/parasite.php#hjt
Forums - Experts to read your HJT Log
http://forum.aumha.org/viewforum.php?f=30
http://computercops.biz/forums.html
http://forums.techguy.org/
http://forums.net-integration.net/index.php

Follow through with preventative measures
Helpful Links:
http://mvps.org/winhelp2002/unwanted.htm
http://www3.telus.net/dandemar/index.htm
http://aumha.org/secure.htm

No comments: