Security Incidents mailing list archives

Possible new backdoor: mspx-smss.exe ?

From: Sven Pechler <helpdesk () tm tue nl>
Date: 21 Feb 2003 11:57:16 -0000



Hello,

Last week we have detected a possibly new backdoor trojan on a Windows 
2000 computer.
This trojan acts as a proxy server, using the hacked computer as 
a 'zombie' server.  

The developer of the software made a great deal of effort to make it 
hidden. The process is not visible in the Windows Task Manager. The 
directories containing the files are not visible to the local 
administrator. Parts of the 'services' registry keys are made hidden and 
no TCP 'listening'-ports can be seen using the 'netstat' command.

I collected the following files:

In C:\WINNT\SYSTEM32:
25-01-2003  03:33               20.480 mspxss.exe

Contents of C:\WINNT\SYSTEM32\MUI\DISPSPEC\MSPXCOMMON\COM1\MSPX directory:

19-02-2003  14:55       <DIR>          cache
24-07-1999  22:03               45.056 inuse.exe
26-02-2002  12:25               33.792 mspx-csrss.exe
10-03-2002  00:54            1.011.773 mspx-smss.exe
26-06-2000  14:07              323.072 mspx-sw.exe
26-06-2000  14:07              323.072 mspx-sw2.exe
26-06-2000  14:07              323.072 mspx-sw3.exe
25-01-2003  03:37                   36 mspxmmedia_Restart.log
25-01-2003  03:37                   36 mspxssext_Restart.log
25-01-2003  03:37                   36 mspxss_Restart.log
30-01-2002  18:21               20.480 pv.exe
10-04-2002  03:42              107.008 reboot.exe
10-01-2003  01:45                1.243 svc-rst.reg
08-05-2002  10:50               45.056 xcacls.exe

The directory above is NOT VISIBLE on 'infected' computers. But due to a 
programming flaw an empty directory C:\DEV is always created, because 
somewhere in the program the output is incorrectly redirected to /dev/null.

Is this really an unknown backdoor? No anti virus software seem to detect 
is, nor programs like MooSoft's 'The Cleaner'. 


-Sven

----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core

Current thread:

Possible new backdoor: mspx-smss.exe ? Sven Pechler (Feb 21)
- <Possible follow-ups>
- Re: Possible new backdoor: mspx-smss.exe ? Sven Pechler (Feb 27)