Backdoor.Smorph

SUMMARY

Backdoor.Smorph is a polymorphic Trojan horse. It is distributed as an executable that is embedded inside of an .shs file. The Trojan drops files and opens network connections.

NOTE: An .shs file is a Microsoft Scrap Object file. These files are executable and can contain a wide variety of objects. The scrap object (.shs) extension does not appear in Windows Explorer even if all file extensions are displayed.

Protection

• Virus Definitions (Intelligent Updater) October 16, 2000

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low
• Payload: Opens network connection.

Distribution

• Distribution Level: Low
• Ports: 23276, 23477

TECHNICAL DETAILS

Backdoor.Smorph is distributed as an .shs file (OLE container) containing an executable. The .shs file type is launched in the same manner as an .exe file. The embedded executable runs as soon as the .shs file is launched.

The Trojan horse infects the system in the following manner:

1. When activated, the .shs file launches Packager.exe, a Windows utility, and commands it to create Pkg4135.exe in the Temp folder and run it.
2. Pkg4135.exe creates Vmldr.vxd, Jpegcomp.dll, and Oleproc.exe in the System folder.
3. After the file creation, Oleproc.exe launches.
4. Pkg4135.exe then creates the Windows registry key HKEY_LOCAL_MACHINECurrentControlSetServicesVxDVMLDR and sets the StaticVxD value within this key to Vmldr.vxd. This tells Windows to launch the Vmldr.vxd as a service when the computer starts.
5. After its launch, Oleproc.exe creates a file named Pnpmngr.pci in the System folder and launches it. Pnpmng.pci opens a network connection on ports 23476 and 23477. In addition, Oleproc.exe modifies the content of the original .shs file without changing its size. Oleproc.exe also deletes Pkg4135.exe from the Temp folder.
6. At the end of the infection, Oleproc.exe, Pnpmgr.pc, Vmldr.vxd, and Jpegcomp.exe are created in the System folder, the key HKEY_LOCAL_MACHINECurrentControlSetServicesVxDVMLDR is added to the registry, and the content of the original .shs file is modified. Each subsequent infection results in further modifications to the .shs file and the creation of different Oleproc.exe and Pnpmgr.pci files.

Although the functionality of Oleproc.exe and the Pnpmgr.pci do not change, the PE headers, contents of the Import Tables, and the contents and the names of several sections change within both files.

At startup, the Vmldr.vxd launches the Pnpmgr.pci, which opens a network connection.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove the Backdoor.Smorph Trojan:

• Remove the .shs file. (This Trojan is polymorphic, and the file will have a different name each time.)
• Delete Oleproc.exe, Pnpmgr.pci, Vmldr.vxd, and Jpegcomp.dll from the CWindowsSystem folder.
• Restart Windows in Safe mode.
• Delete the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxdVMLDR subkey.

See the sections that follow for detailed instructions.

To remove the .shs file

1. Click Start, point to Find, and then click Files or Folders. The Find: All files dialog box appears.
2. Make sure that "Look in" is pointing to C: or All Drives, and that "Include subfolders" is checked.
3. In the Named box, type *.shs and then click Find Now. Windows find all files and folders that match your search criteria and displays them in the lower pane of the Find dialog box.
4. What you do next depends on which files are found. Because this Trojan is polymorphic, the file will have a different name each time. There is no way for Symantec to advise you on whether the file is part of the Trojan or is used by a legitimate program. Do one of the following:
   • Delete the resultant .shs files.
   • Record the location of each file, and move--do not copy--the files to a floppy disk.
5. Keep the Find: All files dialog box open, and proceed to the next section.

To delete the Trojan files:

1. Click New Search, and click OK to clear.
2. Make sure that Look in is pointing to the drive on which Windows is installed, and that Include subfolders is checked.
3. In the Named box, type (or copy and paste) the following text, and then click Find Now:
   
   oleproc.exe pnpmgr.pci vmldr.vxd jpegcomp.dll
   
4. Delete the resultant files.

To restart the computer in Safe mode:

NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.

• Windows 95
  1. Exit all programs.
  2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  3. Click Shut Down, and then click OK.
  4. Click Yes to confirm the shutdown.
  5. Turn off the computer (if necessary) and wait 30 seconds.
     
     NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
     
  6. Turn on the computer.
  7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
  8. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.
     
• Windows 98
  1. Click Start, and click Run.
  2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
  3. Click Advanced on the General tab.
  4. Check Enable Startup Menu, click OK, and then click OK again.
  5. Exit all programs.
  6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  7. Click Shut Down, and then click OK.
  8. Click Yes to confirm the shutdown.
  9. Turn off the computer and wait 30 seconds.
     
     NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
     
  10. Turn on the computer, and wait for the Windows 98 Startup menu.
  11. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.
      
  NOTE (Windows 98 users only): After you have finished removing the Trojan, you can return to this section and follow these steps to disable the Startup menu:
  1. Click Start, and click Run.
  2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
  3. Click Advanced on the General tab.
  4. Uncheck Enable Startup Menu, click OK, and then click OK again.
  5. Restart the computer.
     
• Windows 2000
  1. Exit all programs.
  2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
  3. Click Shut Down, and then click OK.
  4. Click Yes to confirm the shutdown.
  5. Turn off the computer and wait 30 seconds.
     
     NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
     
  6. Turn on the computer.
  7. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to this: |||||||||||||||||||||||||||||. Beneath this line you will see the text "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.
  8. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.

To delete the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxdVMLDR subkey:

CAUTION: We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

To edit the registry:

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to and select the following subkey:
   
   HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxdVMLDR
   
4. Press Delete, and then click Yes to confirm.
5. Click Exit to save the changes and close the Registry Editor.