Re: Possible new backdoor: mspx-smss.exe ?

[Sven Pechler <helpdesk () tm tue nl>]

In-Reply-To: <20030221115716.30417.qmail () www securityfocus com>

Hello,

In the previous thread about this subject, I posted a list of files that 
were placed on a 'hacked' Windows 2000 computer in our network. 
Among these files were a wingate engine (mspx-smss.exe), a watchdog 
program to restart a service (mspx-sw.exe) and a very 
sophisticated 'stealth' program (mspxss.exe) that can hide processes and 
hide files in NTFS disks.
The main purpose of these files is to create a proxy server that can be 
used by hackers for DDOS attacks or to obscure their original IP-address.

I got a lot of reactions about these files. McAfee/Network Associates have 
named it: Backdoor-AQM and it will be included in their DAT-file: 4251. 
Kaspersky labs have sent me an analysis of the mspxss.exe file. They will 
include it also in their next update. 

I would thank all who helped me to get this mystery solved. For those who 
are also eager to analyse these files themselves, I've compiled some 
information and placed them on a web-page:

A quick report I wrote (not quite plain HTML, because I used MS-Word):
http://members.chello.nl/s.pechler/Backdoor_stealth_proxy_server.htm

The files can be found in the following ZIP-file (password=infected):
http://members.chello.nl/s.pechler/mspx-smss-trojan.zip


Regards,

Sven Pechler
University of Technlogy Eindhoven
Faculty of Technology Management

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>