Backdoor.Smorph

Printer Friendly Page

Discovered: October 16, 2000
Updated: February 13, 2007 11:32:38 AM
Type: Trojan Horse


Backdoor.Smorph is a polymorphic Trojan horse. It is distributed as an executable that is embedded inside of an .shs file. The Trojan drops files and opens network connections.

NOTE: An .shs file is a Microsoft Scrap Object file. These files are executable and can contain a wide variety of objects. The scrap object (.shs) extension does not appear in Windows Explorer even if all file extensions are displayed.

Antivirus Protection Dates

  • Initial Rapid Release version October 16, 2000
  • Latest Rapid Release version January 15, 2018 revision 020
  • Initial Daily Certified version October 16, 2000
  • Latest Daily Certified version January 15, 2018 revision 024

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.


Technical Description


Backdoor.Smorph is distributed as an .shs file (OLE container) containing an executable. The .shs file type is launched in the same manner as an .exe file. The embedded executable runs as soon as the .shs file is launched.

The Trojan horse infects the system in the following manner:

  1. When activated, the .shs file launches Packager.exe, a Windows utility, and commands it to create Pkg4135.exe in the Temp folder and run it.
  2. Pkg4135.exe creates Vmldr.vxd, Jpegcomp.dll, and Oleproc.exe in the \System folder.
  3. After the file creation, Oleproc.exe launches.
  4. Pkg4135.exe then creates the Windows registry key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\VxD\VMLDR and sets the StaticVxD value within this key to Vmldr.vxd. This tells Windows to launch the Vmldr.vxd as a service when the computer starts.
  5. After its launch, Oleproc.exe creates a file named Pnpmngr.pci in the \System folder and launches it. Pnpmng.pci opens a network connection on ports 23476 and 23477. In addition, Oleproc.exe modifies the content of the original .shs file without changing its size. Oleproc.exe also deletes Pkg4135.exe from the \Temp folder.
  6. At the end of the infection, Oleproc.exe, Pnpmgr.pc, Vmldr.vxd, and Jpegcomp.exe are created in the \System folder, the key HKEY_LOCAL_MACHINE\CurrentControlSet\Services\VxD\VMLDR is added to the registry, and the content of the original .shs file is modified. Each subsequent infection results in further modifications to the .shs file and the creation of different Oleproc.exe and Pnpmgr.pci files.

Although the functionality of Oleproc.exe and the Pnpmgr.pci do not change, the PE headers, contents of the Import Tables, and the contents and the names of several sections change within both files.

At startup, the Vmldr.vxd launches the Pnpmgr.pci, which opens a network connection.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


Removal


To remove the Backdoor.Smorph Trojan:

  • Remove the .shs file. (This Trojan is polymorphic, and the file will have a different name each time.)
  • Delete Oleproc.exe, Pnpmgr.pci, Vmldr.vxd, and Jpegcomp.dll from the C\Windows\System folder.
  • Restart Windows in Safe mode.
  • Delete the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd\VMLDR subkey.

See the sections that follow for detailed instructions.

To remove the .shs file
  1. Click Start, point to Find, and then click Files or Folders. The Find: All files dialog box appears.
  2. Make sure that "Look in" is pointing to C: or All Drives, and that "Include subfolders" is checked.
  3. In the Named box, type *.shs and then click Find Now. Windows find all files and folders that match your search criteria and displays them in the lower pane of the Find dialog box.
  4. What you do next depends on which files are found. Because this Trojan is polymorphic, the file will have a different name each time. There is no way for Symantec to advise you on whether the file is part of the Trojan or is used by a legitimate program. Do one of the following:
    • Delete the resultant .shs files.
    • Record the location of each file, and move--do not copy--the files to a floppy disk.
  5. Keep the Find: All files dialog box open, and proceed to the next section.

To delete the Trojan files:
  1. Click New Search, and click OK to clear.
  2. Make sure that Look in is pointing to the drive on which Windows is installed, and that Include subfolders is checked.
  3. In the Named box, type (or copy and paste) the following text, and then click Find Now:

    oleproc.exe pnpmgr.pci vmldr.vxd jpegcomp.dll
  4. Delete the resultant files.

To restart the computer in Safe mode:

NOTE: In Safe mode, Windows uses default settings: VGA monitor, no network, Microsoft mouse driver, and the minimum device drivers required to start Windows. You will not have access to CD-ROM drives, printers, or other devices.
  • Windows 95
    1. Exit all programs.
    2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    3. Click Shut Down, and then click OK.
    4. Click Yes to confirm the shutdown.
    5. Turn off the computer (if necessary) and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    6. Turn on the computer.
    7. When "Starting Windows 95..." appears on the screen, press F8. The Windows 95 Startup Menu appears.
    8. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.
  • Windows 98
    1. Click Start, and click Run.
    2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
    3. Click Advanced on the General tab.
    4. Check Enable Startup Menu, click OK, and then click OK again.
    5. Exit all programs.
    6. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    7. Click Shut Down, and then click OK.
    8. Click Yes to confirm the shutdown.
    9. Turn off the computer and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    10. Turn on the computer, and wait for the Windows 98 Startup menu.
    11. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.
      NOTE (Windows 98 users only): After you have finished removing the Trojan, you can return to this section and follow these steps to disable the Startup menu:
      1. Click Start, and click Run.
      2. Type msconfig and then click OK. The System Configuration Utility dialog box appears.
      3. Click Advanced on the General tab.
      4. Uncheck Enable Startup Menu, click OK, and then click OK again.
      5. Restart the computer.
  • Windows 2000
    1. Exit all programs.
    2. Click Start, and click Shut Down. The Shut Down Windows dialog box appears.
    3. Click Shut Down, and then click OK.
    4. Click Yes to confirm the shutdown.
    5. Turn off the computer and wait 30 seconds.

      NOTE: You must turn off the power to remove the virus from memory. Do not use the reset button.
    6. Turn on the computer.
    7. As the computer restarts, you will see a continuous line along the bottom of the screen that looks similar to this: |||||||||||||||||||||||||||||. Beneath this line you will see the text "For trouble-shooting and advanced startup options for Windows 2000, press F8." Immediately press F8.
    8. Press the number that corresponds to Safe mode, and then press Enter. Windows starts in Safe mode.

To delete the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd\VMLDR subkey:


CAUTION : We strongly recommend that you back up the system registry before making any changes to it. Incorrect changes to the registry may result in permanent data loss or corrupted files. Be sure to modify the specified keys only. See the document How to back up the Windows registry before proceeding.

To edit the registry:
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to and select the following subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd\VMLDR
  4. Press Delete, and then click Yes to confirm.
  5. Click Exit to save the changes and close the Registry Editor.


Writeup By: Dmitry Reyder