Security Incidents mailing list archives
Re: Possible new backdoor: mspx-smss.exe ?
From: Sven Pechler <helpdesk () tm tue nl>
Date: 26 Feb 2003 21:19:15 -0000
In-Reply-To: <20030221115716.30417.qmail () www securityfocus com> Hello, In the previous thread about this subject, I posted a list of files that were placed on a 'hacked' Windows 2000 computer in our network. Among these files were a wingate engine (mspx-smss.exe), a watchdog program to restart a service (mspx-sw.exe) and a very sophisticated 'stealth' program (mspxss.exe) that can hide processes and hide files in NTFS disks. The main purpose of these files is to create a proxy server that can be used by hackers for DDOS attacks or to obscure their original IP-address. I got a lot of reactions about these files. McAfee/Network Associates have named it: Backdoor-AQM and it will be included in their DAT-file: 4251. Kaspersky labs have sent me an analysis of the mspxss.exe file. They will include it also in their next update. I would thank all who helped me to get this mystery solved. For those who are also eager to analyse these files themselves, I've compiled some information and placed them on a web-page: A quick report I wrote (not quite plain HTML, because I used MS-Word): http://members.chello.nl/s.pechler/Backdoor_stealth_proxy_server.htm The files can be found in the following ZIP-file (password=infected): http://members.chello.nl/s.pechler/mspx-smss-trojan.zip Regards, Sven Pechler University of Technlogy Eindhoven Faculty of Technology Management ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Possible new backdoor: mspx-smss.exe ? Sven Pechler (Feb 21)
- <Possible follow-ups>
- Re: Possible new backdoor: mspx-smss.exe ? Sven Pechler (Feb 27)