Trojan Poses as Smart Messenger

A website, shown below, is currently hosting a trojan which drops several malicious files on the users system.

The site disguises the trojan dropper as “Smart Messenger” a new way to instantly Text and Picture SMS FREE!.

The malware author/s really put on a lot of work in the social engineering of this malware. From the website that is hosting it to the malware installation in the system.

The website hosts a zip file named SMSS406.zip which contains three files

  • LICENSE.TXT – License file of the supposed “Smart Messenger v4.06”. This is an added social engineering trick to add credibility to the trojan.
  • setup.exe – The actual trojan (detected by Trend Micro as TROJ_GLITCH.IRC).
  • smss.hlp – a help file for the supposed “Smart Messenger v4.06”. (It doesn’t really contain anything)

When a user is fooled into executing setup.exe in his system, he gets a messagebox containing a License Agreement for Smart Messenger, this makes the user believe that he is installing a real application that will help him score free text and picture sms. The user is even given an option to either install the application or not as shown in the picture below.

If the user chooses “YES” in the options the setup will continue to execute which will lead to either of these two pop up messageboxes.

Which suggests to the user that there has been an error in the installation of Smart Messenger, but in reality, setup.exe has already dropped several files in this directory

  • %system%driversetctmp

NOTE: %system% is the windows system directory

Among these are two exe files named

  • MSTask.exe
  • smss.exe

The file setup.exe then adds a registry key to make the file MSTask.exe autoexecute on every startup of the system. If an IRC client is installed, it also tweaks registry settings to make sure that the file smss.exe is executed upon running an IRC client software.

Checking my network, I noticed that a connection to an IRC server has been made with these credentials

  • Channel: #f00bar
  • Nick Name: kg1kk9

All related files and website link has already been sent to the service team for proper actions.

I guess I don’t have to say this but I’ll say it anyway, be careful with what you download on the net. Especially if it came to you through IM messages or e-mails. Just don’t execute any file from the net, unless you’re absolutely sure that it is what it says it is, otherwise you might be running a malware that will eat up your network.

No related posts.