smsc.exe new sasser or gaobot variant?

pc user · Jun 8, 2004

There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?

null · Jun 8, 2004

There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?

Which av scanners have you tried? Upload the file to KAV and see what
it has to say:

http://www.kaspersky.com/remoteviruschk.html

Have you submitted the file to any av vendors for analysis?

Art
http://www.epix.net/~artnpeg

FromTheRafters · Jun 9, 2004

pc user said:
There is a file on my computer called smsc.exe and it has infected
other computers as well. The file is 123,168 bytes long and is
compressed with the FSG compressor. Using UN-FSG 1.33.3 by SMoKE can
decompress this file. Once it was decompressed, I saw several strings
that are similar to those found in the sasser and gaobot virus. For
example, the listing of a variety of anti-virus scanners, firewalls,
etc. Does anyone know what exactly this file is?

The best way to tell, is to use a scanner on it. If none of them
detect anything, submit it to your choice of vendor for further
scrutiny.

Such listings of application's processes to kill are becoming very common
to many types of malware these days.

pc user · Jun 9, 2004

Which av scanners have you tried? Upload the file to KAV and see what
it has to say:

http://www.kaspersky.com/remoteviruschk.html

Have you submitted the file to any av vendors for analysis?

Art
http://www.epix.net/~artnpeg

I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean, and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.

FromTheRafters · Jun 9, 2004

pc user said:
I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean,

No AV scanner can rightfully make that assertion, perhaps it only
said nothing was found.

and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.

If it's the one I think it is, it is capable of using many vectors and exploits
to distribute itself.

Guest · Jun 10, 2004

A friend found it at at trend. we got the same answer from Mcafee that it
was a variant of .gen
I'm really disappointed to not see anything on Symantec's site almost 2 days
after it hit.
What does it do differently?
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.WF&VSect=T

Easy Rider · Jun 23, 2004

I submitted the file to McAfee and they responded very promptly. It is
another variant of W32/Gaobot.worm.gen. Kaspersky says the file is
clean, and I'm still waiting on Symantec.

If it is another variant of the Gaobot, I'm still wondering how it got
on one of my boxes (Windows 2000 Pro SP-4). That machine has been
patched with the KB-835732 LSASS Vulnerability. Another machine,
running Windows Server 2003 did not get infected at all. Both were in
the same subnet.

Look for files called "c.bat" and ".pif" in the system32 folder. Do
you have a DSL connection? I recently helped a friend format his hard
drive, install XP, update to SP1 and then we found this virus on his
computer. Have no idea where it came from unless it snuck in through
the DSL.

J@s0n W@d3 · Jun 23, 2004

Look for files called "c.bat" and ".pif" in the system32 folder. Do
you have a DSL connection? I recently helped a friend format his hard
drive, install XP, update to SP1 and then we found this virus on his
computer. Have no idea where it came from unless it snuck in through
the DSL.

You need to have your firewall enabled before you connect the
internet cable to the computer:

Enabling the Internet Connection Firewall (XP)
http://support.microsoft.com/default.aspx?scid=kb;en-us;283673

Windows XP: Surviving the First Day:
http://www.sans.org/rr/papers/index.php?id=1298

CERT/CC: Tech Tip: Before Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html

A virus or backdoor can be on your computer in 30 sec.

New email worm variant	3	Feb 6, 2007
re cannot remove sasser	7	Oct 31, 2004
KRiLE and Zvi Netiv... for old times sake	8	Jun 3, 2010
New and Improved: Antivirus Software	2	Sep 8, 2003
A new variant of the CoolWebSearch virus?	7	Dec 22, 2003
Make the Most of Your New PC	1	Jan 25, 2009
My words	11	Oct 15, 2005
FWT Newsletter - Weekly - October 11, 2004	0	Oct 11, 2004

smsc.exe new sasser or gaobot variant?

pc user

null

FromTheRafters

pc user

FromTheRafters

Guest

Easy Rider

J@s0n W@d3

Ask a Question

Similar Threads