Finding the hidden router killer SMTP virus

Throughout 2010, we discovered computers that would have Internet connection problems but not report any viruses when scanned. Users would report that their computer had started running slowly and would frequently fail to connect the Internet. In offices with many computers, all of the computers would have problems connecting to the Internet.

Frequently, these symptoms led to router replacement but the problems would return unresolved. Scanning the computers with different anti-virus programs yielded no culprit; no viruses were found.

Taking a different approach, we diagnosed the source of this problem using a simple Windows tool and procedure:

Click: Windows Start button.
Choose: Run
Type: CMD (and press Enter or click OK)
Type: netstat (and press Enter)
Type: exit (when finished viewing the results of NetStat)

The Windows NetStat command will show a list of all active network connections. On a normal computer, this list will run to 10-20 items. Examination of the foreign addresses should show the addresses of known computers or web sites that are in use.

On a station with the SMTP router killer virus, the list of connections will scroll for pages, displaying hundreds of foreign web-sites, typically from Russia and Asia. When this happens, it reveals that there is an SMTP virus program running.

Examining this problem further, we discovered that the SMTP virus would appear as a normal Windows e-mail program to the anti-virus software, and anti-virus programs would ignore the fact that the SMTP virus was making hundreds of connections to remote mail servers. Since the SMTP virus operated the same way a regular e-mail program works, this activity wouldn’t raise an alarm.

We also discovered that the SMTP virus would create a huge number of connections, sometimes connecting to up to 300 remote computers. This torrent of activity would overload the router and stop all Internet activity, or cause the router to lockup and stop operating because of the excessive number of connections. Resetting or replacing the router would only cure the problem for minutes, until the router failed from the traffic overload.

We solved the problem by identifying the specific program files that were generating the excessive SMTP traffic and deleting those files. If you suspect you have the symptoms of an SMTP virus, simply follow the steps above on every computer to look for unusual or excessive activity caused by this virus.

This entry was posted in Computers and tagged , , . Bookmark the permalink.

Leave a Reply