Smss.exe or Windows Session Manager is a process responsible for administration user sessions Record on a system (time periods in which the respective users are logged in to that system). Specifically, at the beginning of such a session, sms.exe applies a series of commands that launch the login process (winlogon.exe) plus a series of processes Win32 necessary for the functioning of the system. Also the SMSS.Exe process sets a series of system variables.
Although it is a relatively important system process sms.exe is also considered a vulnerable process to online attacks. It is located, legitimate, in the folder C:Windows System32, and the discovery of any file with the same name or at least similar to the process indicates the presence of a virus, trojan or spyware In your system
W32/Ladex.Worm is a virus that spreads through open accounts or Share-uuite. It attaches the certain system malware files, including the sms.exe file (name identical to the legitimate process). Then try to access Service Control Manager to install, through remote, as a service of the attacked system. This false service (lmhsvc.exe) bears the name NtLmHosts (or TCP/IP NetBIOS Provider), creating the impression of legitimacy and in this way to mislead many users. Because LMHSVC.Exe places a copy in the System 32 folder, the service is activated automatic at each start of the system.
After installing it in the form of service, the Ladex Worm executes files %windir%Smss.exe and %windir%Csrss.exe. Cand virusul este activ, aceste doua fisiere ilegitime trebuie sa asigure rularea continua a acestuia prin verificari la fiecare 3 secunde. Iar la fiecare 10 secunde, virusul adauga urmatorii registry in sistem:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key:
Smss.exe %windir%\smss.exe
Csrss.exe %windir%\csrss.exeDe asemenea, virusul incearca, iar de cele mai multe ori reuseste, sa blocheze accesul userilor la Registry Editor.
Careful! In cazul in care suspectati nereguli in privinta procesului smss.exe, recomandam efectuarea unei scanari amanuntite de sistem and dezactivarea sharing-ului in retelele nefolosite.
