Possible new backdoor: mspx-smss.exe ?

Hello,

Last week we have detected a possibly new backdoor trojan on a Windows 2000 computer.
This trojan acts as a proxy server, using the hacked computer as a 'zombie' server.

The developer of the software made a great deal of effort to make it hidden. The process is not visible in the Windows Task Manager. The directories containing the files are not visible to the local administrator. Parts of the 'services' registry keys are made hidden and no TCP 'listening'-ports can be seen using the 'netstat' command.

I collected the following files:

In C:\WINNT\SYSTEM32:
25-01-2003 03:33 20.480 mspxss.exe

Contents of C:\WINNT\SYSTEM32\MUI\DISPSPEC\MSPXCOMMON\COM1\MSPX directory:

19-02-2003  14:55                 cache
24-07-1999  22:03               45.056 inuse.exe
26-02-2002  12:25               33.792 mspx-csrss.exe
10-03-2002  00:54            1.011.773 mspx-smss.exe
26-06-2000  14:07              323.072 mspx-sw.exe
26-06-2000  14:07              323.072 mspx-sw2.exe
26-06-2000  14:07              323.072 mspx-sw3.exe
25-01-2003  03:37                   36 mspxmmedia_Restart.log
25-01-2003  03:37                   36 mspxssext_Restart.log
25-01-2003  03:37                   36 mspxss_Restart.log
30-01-2002  18:21               20.480 pv.exe
10-04-2002  03:42              107.008 reboot.exe
10-01-2003  01:45                1.243 svc-rst.reg
08-05-2002  10:50               45.056 xcacls.exe

The directory above is NOT VISIBLE on 'infected' computers. But due to a programming flaw an empty directory C:\DEV is always created, because somewhere in the program the output is incorrectly redirected to /dev/null.

Is this really an unknown backdoor? No anti virus software seem to detect is, nor programs like MooSoft's 'The Cleaner'.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Sven

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box?
CORE IMPACT does.
www.securityfocus.com/core Received on Fri Feb 21 18:46:51 2003