SMSX.EXE - DoS Trojan

This may be a little OT, but we had some complaints from our customers
who complained about saturated connections. We tracked it down to being
a trojan (smsx.exe) that was sitting in their system32 directory.

I stripped some of the ASCII from the file:

PUSH <target> <port> <secs> = A push flooder
��t& NOTICE %s :TCP <target> <port> <secs> = A syn flooder
�� NOTICE %s :UDP <target> <port> <secs> = A udp flooder
�� NOTICE %s :MCON <target> <port> <num> <secs> <holdtime> = A
connectbomb flooder
�� ��' NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> =
dumps the evilbufs to a port
���& NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> =
connects to irc and dumps the evilbufs
����������������������������NOTICE %s :NICK <nick> =
Changes the nick of the client
���������������������NOTICE %s :DISABLE <pass> =
Disables all packeting from this client

The program connects to ( port 6667
(IRC) joins a channel called #REDARMY password :kalashnikov. And there
it seems to wait for comments like PUSH TCP UDP as above.

I am not sure of the delivery mechanism to get it onto the customers PC
but it is certainly an issue. We have blocked access to for now to see if the problems disappear.