PWS-NTSMB

This program is not really a trojan but may form part of some trojan "root-kits" designed to compromise network security. It usually has the name NTSMB.EXE and is 57,344 bytes in length.

The program is a Win32 console application, which is designed to probe one or more IP addresses using the SMB protocol to 'crack' administrator accounts on Windows Networks. It launches a dictionary based attack on the IPC$ share, using the usernames "administrator" and "admin". It uses a list of passwords obtained from text files called NTSMB.DIC and NTSMBCOMMON.DIC. (Note these names are hard coded in the program).

The connection requests made by this program use the string SOUP as the contents of the Primary Domain, Native O/S, and Native LAN Manager fields.

Successful login attempts are displayed on the screen along with the username and password.

This program does not attempt to send any account details over the Internet, not does it attempt to install itself into the system start-up sequence.

Presence of files NTSMB.EXE, NTSMB.DIC, or NTSMBCOMMON.DIC on system.

Excessive SMB traffic on network using Primary Domain, Native OS or Native LAN Manger values of SOUP.

N/A This is a password-cracking tool, used during a dictionary style attack against a large number of systems.

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations