On your Windows operating system the Session Management Subsystem or the smss.exe process is responsible for handling user sessions. Basically, when a user session begins, the system thread performs a number of tasks, such as launching the Winlogon process, launching required Win32 processes, and setting system variables.
Smss.exe in not a core Windows file and does not have any file description or visible window. It is an unknown file in the Windows folder and by default is located in the C:\Windows System32 folder. The most common size of the smss.exe file on Windows XP is 192,580 bytes, but you may also find the file in the following sizes: 110,592 and 188,484 bytes.
The process loads at system startup and has an entry in the following registry key:
Due to the ability to record inputs and monitor applications, the smss.exe file is quite prone to virus attacks.
Smss.exe Virus Problem
The W32.Dalbug.Worm-also known as W32/Ladex.worm, Worm.Win32.Ladex.a, Worm.Win32.Ladex.b, WORM_LADEX.A, W32/Ladex-A, W32/Ladex-B, and Win32.Ladex-replicates itself on Microsoft IIS and Windows 2000/NT/XP computers by adding malicious files, including smss.exe, to the system. The worm usually spreads by attacking computers with open user accounts and shares.
After the virus infiltrates a user computer, the worm tries to access the Service Control Manager and if successful, installs itself remotely as a service. This malicious service looks quite legitimate, and is named “NtLmHosts”, with the display name “TCP/IP NetBIOS Provider”. The service is described as “Provides NetBIOS over TCP/IP (NetBT) service support for NetBIOS name resolution” and by default, is located in the “%windir%\System32\lmhsvc.exe” folder. Because the lmhsvc.exe file is copied to the System32 folder, the service starts itself whenever you start the PC.
Note: Here, %windir% is the folder where your Windows operating system is installed. For Windows NT/2000 the default is C:\Winnt and for Windows XP it is C:\Windows.
After installing itself as a service, the W32.Dalbug.Worm executes the %windir%\Smss.exe and %windir%\Csrss.exe files. The worm also adds a non-malicious joke program %windir%\System32\Lady.exe that is executed by Smss.exe and Csrss.exe when they run.
When the worm is active, the task of the malicious Smss.exe and Csrss.exe files planted by the virus is to ensure that its service keeps running by checking it every three seconds. So, if you try to remove, disable or change the malicious W32.Dalbug.Worm service, it will reinstall itself again in just a few seconds. And, 5 minutes after the service is reinstalled the Lady.exe program is activated. This program will show your files crawling on the screen.
There is one more task that happens when the W32.Dalbug.Worm is active. Every 10 seconds, the following registry entries are added to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key:
The worm also tries to kill or stop the Regedit.exe process if you try to open the Registry Editor tool.
In addition to all of the above, the smss.exe and Csrss.exe files copy the malicious worm to the %windir%\inf\Cdrom.sys, %windir%\Fonts\Dosoem.fon, and %windir%\Help\Dosapp.hlp files.
Methods to Deal with Smss.exe Virus
The following are some of the tasks that you can perform to prevent and resolve the Smss.exe (W32.Dalbug.Worm) issue:
- Implement a firewall and configure it to block all unwanted incoming Internet traffic.
- Avoid creating open network shares and use complex, difficult-to-crack passwords.
- Disable any network shares you don’t use.
- Disable AutoPlay to prevent programs from running automatically over network and by removable drives.
- Keep your operating system, device drivers, and applications updated with the latest services packs and security releases.
- Keep your antivirus and antispyware tools updated with the latest definitions and schedule regular full system scans to ensure that your system stays free from malware.
- Use an efficient and advanced registry tool, such as RegServe to perform registry scan and clean up to ensure that no malicious entries stay hidden within the complex registry files.