Prevx Research Division
SMS.EXE
Cloaked MalwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove SMS.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Malicious Software
- Worm
File Behavior
SMS.EXE has been seen to perform the following behavior:
- Writes to another Process's Virtual Memory (Process Hijacking)
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This Process Deletes Other Processes From Disk
- This process creates other processes on disk
- Can communicate with other computer systems using HTTP protocols
- Executes a Process
- Copies files
- Injects code into other processes
- Executes Processes stored in Temporary Folders
- The Process is polymorphic and can change its structure
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
- The Process is packed and/or encrypted using a software packing process
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
- Can Send email using SMTP protocols
- Creates system tray popups, messages, errors and security warnings
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
SMS.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
- Terminated as a Process
- Copied to multiple locations on the system
- Deleted as a process from disk
Country Of Origin
The filename SMS.EXE was first seen on Jun 1 2007 in the following geographical regions of the Webroot community:
- Iran, Islamic Republic of on Jun 1 2007
- Germany on Oct 18 2007
- Spain on Oct 18 2007
- India on Nov 15 2007
- South Africa on Nov 15 2007
- Serbia on Nov 8 2009
- Italy on Mar 9 2010
- Taiwan on Mar 21 2010
- Bangladesh on May 5 2011
- The United States on Feb 9 2012
File Name Aliases
SMS.EXE can also use the following file names:
- NOPMULTI1 (1).EXE
- SMS[1].EXE
- SMS_CREATE_PRO_38595.EXE
- EBOOKBYTHOR.PDF
- MP3RIP.MP3
- SETUP.EXE
- EBOOKBYTHOR.PDF.EXE
- DVDRIP2009.AVI.EXE
- MP3RIP.MP3 .EXE
- LOGHISUONERIE.EXE
- STARTUP.EXE
- SUONERIE.EXE
- LOGHI.EXE
- NOPMULTI1.EXE
- VISDRIVE.EXE
- OMYMM.EXE
- ACVHB.EXE
- WBWEL.EXE
- YGRTA.EXE
- TEKQK.EXE
- 87.EXE
- 57835611.#
- 00107#SMS.EXE
- 06733843.DAT
Filesizes
The following file size has been seen:
- 317,952 bytes
- 495,671 bytes
- 1,213,758 bytes
- 798,208 bytes
- 320,000 bytes
- 646,576 bytes
- 69,632 bytes
- 995,328 bytes
- 60,699 bytes
File Type
The filename SMS.EXE refers to many versions of an executable program.
File Activity
One or more files with the name SMS.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\system32\mp\
- create folder C:\WINDOWS\system32\do\
- create folder C:\WINDOWS\system32\vid\
- create folder C:\WINDOWS\system32\tm\
- Creates c:\windows\system32\mp\README.txt
- Copies filec:\windows\system32\sms.exe to c:\windows\system32\mp\mp3rip.mp3
- Copies filec:\windows\system32\sms.exe to c:\windows\system32\do\EbookBythor.pdf
- Creates c:\windows\system32\vid\README.txt
- Copies filec:\windows\system32\sms.exe to c:\windows\system32\vid\DvDrip2009.avi
- Creates c:\windows\system32\tm\EULA.rtf
- Creates c:\windows\system32\tm\Cd Key.txt
- Creates c:\windows\system32\tm\key.dat
- Copies filec:\windows\system32\sms.exe to c:\windows\system32\tm\Setup.exe
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\winss.exe
- Copies filec:\docume~1\user\win.exe to c:\windows\system32\wsontfy.exe
- Creates c:\windows\system32\winss.exe
- Creates c:\windows\system32\hhs3ijndfd.dll
- Creates c:\winss.exe
- Copies filec:\jeswo.exe to c:\lsass.exe
- Creates c:\jeswo.exe
- Creates c:\lsass.exe
- Creates c:\docume~1\user\locals~1\temp\ot.exe
- Creates c:\docume~1\user\locals~1\temp\M2.cle
- create folder C:\WINDOWS\system32\ghu13
- Deletes c:\docume~1\user\locals~1\temp\nst3C.tmp
- Creates c:\windows\system32\MSINET.DEP
- Creates c:\windows\system32\MSINET.oca
- Creates c:\windows\system32\MSINET.OCX
- Creates c:\windows\system32\pac.txt
- Creates c:\windows\system32\ghu13\ghu131084.exe
- Creates c:\windows\system32\rs32net.exe
- Deletes c:\hmbjgh.exe
- Copies filec:\docume~1\user\locals~1\temp\ot.exe to c:\windows\system32\mssrv32.exe
- Deletes c:\docume~1\user\locals~1\temp\ot.exe
- Copies filec:\windows\system32\drivers\beep.sys to c:\docume~1\user\locals~1\temp\53.tmp
- Creates c:\windows\system32\drivers\beep.sy
Process Interaction
One or more files with the name SMS.EXE exerts control over the following processes:
- Kills C:\WINDOWS\system32\winss.exe
Network Activity
One or more files with the name SMS.EXE performs the following network events:
- DNS Lookup218.248.1.178 218.248.1.178
- DNS Lookup71.169.84.249 71.169.84.249
- DNS Lookup66.62.151.198 66.62.151.198
- DNS Lookup203.235.96.190 203.235.96.190
- DNS Lookup69.47.168.56 69.47.168.56
- DNS Lookup202.63.134.39 202.63.134.39
- DNS Lookup24.2.223.85 24.2.223.85
- DNS Lookup204.85.64.124 204.85.64.124
- DNS Lookup88.177.61.183 88.177.61.183
- DNS Lookup84.252.17.214 84.252.17.214
- DNS Lookup88.0.14.230 88.0.14.230
- DNS Lookup213.112.50.73 213.112.50.73
- DNS Lookup90.156.124.10 90.156.124.10
- DNS Lookup62.12.68.178 62.12.68.178
- DNS Lookup81.184.246.107 81.184.246.107
- DNS Lookup189.220.190.140 189.220.190.140
- DNS Lookup89.137.146.29 89.137.146.29
- DNS Lookup68.42.188.170 68.42.188.170
- DNS Lookup190.152.3.230 190.152.3.230
- DNS Lookup83.213.113.67 83.213.113.67
- DNS Lookup173.32.79.21 173.32.79.21
- DNS Lookup86.58.24.216 86.58.24.216
- DNS Lookup74.78.196.193 74.78.196.193
- DNS Lookup89.34.160.152 89.34.160.152
- DNS Lookup62.80.232.185 62.80.232.185
- DNS Lookup122.106.6.238 122.106.6.238
- DNS Lookup74.133.34.82 74.133.34.82
- DNS Lookup65.101.238.9 65.101.238.9
- DNS Lookup78.57.120.18 78.57.120.18
- DNS Lookup69.122.8.43 69.122.8.43
- DNS Lookup123.237.177.82 123.237.177.82
- DNS Lookup89.77.98.30 89.77.98.30
- DNS Lookup69.124.159.191 69.124.159.191
- DNS Lookup83.29.150.163 83.29.150.163
- DNS Lookup210.211.149.213 210.211.149.213
- DNS Lookup89.142.165.11 89.142.165.11
- DNS Lookup208.8.127.186 208.8.127.186
- DNS Lookup96.26.129.234 96.26.129.234
- DNS Lookup69.204.44.238 69.204.44.238
- DNS Lookup68.148.234.122 68.148.234.122
- DNS Lookup189.37.0.152 189.37.0.152
- DNS Lookup70.180.40.47 70.180.40.47
- DNS Lookup122.105.224.199 122.105.224.199
- DNS Lookup84.108.99.132 84.108.99.132
- DNS Lookup122.168.72.211 122.168.72.211
- DNS Lookup68.206.254.178 68.206.254.178
- DNS Lookup24.184.215.24 24.184.215.24
- DNS Lookup158.194.46.48 158.194.46.48
- DNS Lookup71.94.24.186 71.94.24.186
- DNS Lookup82.72.73.68 82.72.73.68
Website Activity
One or more files with the name SMS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- cgymwmlcaa .com / progs / ptpqq / pmzznaann .php?adv=adv745
- cgymwmlcaa .com / progs / ptpqq / mmjjwjxt .php
- cgymwmlcaa .com / progs / ptpqq / ebbxlllly .php
- cgymwmlcaa .com / progs / ptpqq / jscccdd .php
- cgymwmlcaa .com / progs / ptpqq / mjjww .php
- cgymwmlcaa .com / progs / ptpqq / spcmmzmnak .php
- cgymwmlcaa .com / progs / ptpqq / xguudrerr .php
- cgymwmlcaa .com / progs / ptpqq / jtgtuhddr
- cgymwmlcaa .com / progs / ptpqq / pmmmaana .php?adv=adv745&code1=OO0E&code2=0228&id=1556418453&p=0
- Port 80 IP:195.2.253.247
- TCP:218.248.1.178:3128 Port:17
- TCP:71.169.84.249:3128 Port:19
- TCP:66.62.151.198:3128 Port:20
- TCP:189.220.190.140:3128 Port:20
- TCP:90.156.124.10:3128 Port:17
- TCP:24.184.215.24:3128 Port:17
- TCP:88.0.14.230:3128 Port:17
- TCP:83.213.113.67:3128 Port:20
- TCP:158.194.46.48:3128 Port:20
- TCP:204.85.64.124:3128 Port:20
- TCP:69.47.168.56:3128 Port:18
- TCP:86.58.24.216:3128 Port:18
- TCP:190.152.3.230:3128 Port:20
- TCP:89.137.146.29:3128 Port:20
- TCP:68.42.188.170:3128 Port:20
- TCP:89.137.146.29:3128 Port:20
- TCP:203.235.96.190:3128 Port:20
- TCP:213.112.50.73:3128 Port:20
- TCP:81.184.246.107:3128 Port:20
- TCP:62.12.68.178:3128 Port:20
- TCP:24.2.223.85:3128 Port:20
- TCP:202.63.134.39:3128 Port:20
- TCP:74.78.196.193:3128 Port:20
- TCP:173.32.79.21:3128 Port:20
- TCP:88.177.61.183:3128 Port:20
- TCP:89.34.160.152:3128 Port:20
- TCP:84.252.17.214:3128 Port:20
- TCP:62.80.232.185:3128 Port:20
- TCP:65.101.238.9:3128 Port:20
- TCP:122.106.6.238:3128 Port:21
- TCP:74.133.34.82:3128 Port:21
- TCP:78.57.120.18:3128 Port:20
- TCP:89.77.98.30:3128 Port:21
- TCP:123.237.177.82:3128 Port:21
- TCP:69.122.8.43:3128 Port:21
- TCP:83.29.150.163:3128 Port:21
- TCP:210.211.149.213:3128 Port:21
- TCP:96.26.129.234:3128 Port:21
- TCP:66.62.151.198:3128 Port:21
- TCP:69.124.159.191:3128 Port:21
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.