smsc.exe

[Blah]

I just bought a lappie. Installed Norton Anti-virus, and Ms office. A couple of days into it, i get the message when i start the computer "smsc.exe has encountered a problem and needs to close down".  Also, i can't browse the net and i have a feeling it has something to do with this. Help needed.

[TWatson3]

It's a worm that is causing the problem.
 
   Security Advisories  
 
 
 Weekly Virus Report  
 
 
 Virus Map  
 
 Virus Encyclopedia Hoaxes
 
 
 
 Test Files  
 
 
 General Virus Information  
 
 
 White Papers  
 
 
 Subscriptions  
 
 
 
 
 
 
 Webmaster Tools  
 
 
 
 
 
 
 TrendLabs - R&D  
 
 
   

 

Home > Security Info > Virus Encyclopedia > WORM_SDBOT.FO
 

 
 
WORM_SDBOT.FO
 
 

 
             
 
 Overview  Technical Details  Statistics
   
 
 
 
   
  In the wild: No
 
Language: English
 
Platform: Windows 95, 98, ME, NT, 2000, XP
 
Encrypted: No
 
Size of virus: 123,168 Bytes
 
 Pattern file needed: 1.908.07
 
Scan engine needed: 6.810
 
Discovered: Jun. 14, 2004
 
Detection available: Jun. 14, 2004
 
 

--------------------------------------------------------------------------------
 
Details:



Installation and Autostart

Upon execution, this worm drops a copy of itself as smsc.exe in the Windows system folder.

Then, it adds the following registry entries to ensure its execution at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
Win32 USB2 Driver="smsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Win32 USB2 Driver="smsc.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce
Win32 USB2 Driver="smsc.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Win32 USB2 Driver="smsc.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunOnce
Win32 USB2 Driver="smsc.exe"

Propagation

To propagate, this worm exploits the Windows LSASS flaw, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
Important: This FSG-compressed worm runs on Windows 95, 98, ME, NT, 2000, and XP. However, it is unable to perform the exploit on Windows 95, 98, and ME systems since these platforms are not affected by the LSASS vulnerability.

Backdoor Capabilities

This worm also has backdoor capabilities. It acts as an IRC bot that connects to a certain IRC server, and joins a specific channel using a random nickname. It monitors and then responds to private messages, usually coming from a malicious user, by employing specific keyword triggers, enabling a remote user to do the following:

Get system information
Delete shared drives
Manipulate IRC privileges
Upload/download files
Scan open ports
Execute file
Antivirus Retaliation

To ensure its survival, it terminates several antivirus processes from memory.

Other Details

This worm also attempts to steal the CD keys of the following PC games:

Battlefield 1942
Battlefield 1942 Secret Weapons of WWII
Battlefield 1942 The Road to Rome
Command & Conquer Generals
Counter-Strike ( Retail )
FIFA 2003
Half-Life
IGI 2 Retail
Need For Speed Hot Pursuit 2
Neverwinter
Project IGI 2
Rainbow Six III RavenShield
Red Alert 2
Soldier of Fortune II - Double Helix
Tiberian Sun
Unreal Tournament 2003



--------------------------------------------------------------------------------
Analysis by: Berman Enconado



 

Description created: Jun. 14, 2004
Description updated: Jun. 24, 2004
 
 
   
   
 

 
 1989-2004 Trend Micro, Inc. All rights reserved. Legal Notice | Privacy Policy | Contact Us

[Guest]

i have this same problem, does any1 no how 2get rid of it

thanx