Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the backdoor copies itself in the %system% folder using the following filename:

smss.exe

The file is executed as a thread in the folowing process:

%system%\svchost.exe

In order to be executed on every system start, the backdoor sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
".nvsvc" = "%system%\smss.exe /w"

 

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start" = "4"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%system%\smss.exe" = "%system%\smss.exe:*:Enabled:Microsoft Update"

 

This disables the Automatic Updates service. By adding an exception in Windows Firewall settings, the backdoor ensures that it is not blocked.

Other information

The backdoor connects to the IRC network. It can be controlled remotely. The backdoor can download a file from the Internet. The file is then executed.

The program disables various security related applications.