検索:
ホーム   »     »   Trojan Poses as Smart Messenger

Trojan Poses as Smart Messenger

  • 投稿日:2006年11月23日
  • 脅威カテゴリ:未分類
  • 執筆:ウイルス解析担当者
0

A website, shown below, is currently hosting a trojan which drops several malicious files on the users system.

The site disguises the trojan dropper as “Smart Messenger” a new way to instantly Text and Picture SMS FREE!.

The malware author/s really put on a lot of work in the social engineering of this malware. From the website that is hosting it to the malware installation in the system.

The website hosts a zip file named SMSS406.zip which contains three files

  • LICENSE.TXT – License file of the supposed “Smart Messenger v4.06”. This is an added social engineering trick to add credibility to the trojan.
  • setup.exe – The actual trojan (detected by Trend Micro as TROJ_GLITCH.IRC).
  • smss.hlp – a help file for the supposed “Smart Messenger v4.06”. (It doesn’t really contain anything)

When a user is fooled into executing setup.exe in his system, he gets a messagebox containing a License Agreement for Smart Messenger, this makes the user believe that he is installing a real application that will help him score free text and picture sms. The user is even given an option to either install the application or not as shown in the picture below.

If the user chooses “YES” in the options the setup will continue to execute which will lead to either of these two pop up messageboxes.

Which suggests to the user that there has been an error in the installation of Smart Messenger, but in reality, setup.exe has already dropped several files in this directory

  • %system%driversetctmp

NOTE: %system% is the windows system directory

Among these are two exe files named

  • MSTask.exe
  • smss.exe

The file setup.exe then adds a registry key to make the file MSTask.exe autoexecute on every startup of the system. If an IRC client is installed, it also tweaks registry settings to make sure that the file smss.exe is executed upon running an IRC client software.

Checking my network, I noticed that a connection to an IRC server has been made with these credentials

  • Channel: #f00bar
  • Nick Name: kg1kk9

All related files and website link has already been sent to the service team for proper actions.

I guess I don’t have to say this but I’ll say it anyway, be careful with what you download on the net. Especially if it came to you through IM messages or e-mails. Just don’t execute any file from the net, unless you’re absolutely sure that it is what it says it is, otherwise you might be running a malware that will eat up your network.

No related posts.



  • 個人のお客さま向けオンラインショップ
  • |
  • 法人のお客さま向け直営ストア
  • |
  • 販売パートナー検索
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • 電子公告
  • ご利用条件
  • プライバシーポリシー
  • Copyright © 2021 Trend Micro Incorporated. All rights reserved.