TrojanDropper:Win32/SmokeLoader.AB!MSR

by Robert Bailey
March 20, 2023
If you spectate the notification of TrojanDropper:Win32/SmokeLoader.AB!MSR detection, it seems that your system has a problem. All viruses are dangerous, with no exceptions. SmokeLoader gives the burglars an easy access to your computer, or even adds it to the botnet.

What does the notification with TrojanDropper:Win32/SmokeLoader.AB!MSR detection mean?

The TrojanDropper:Win32/SmokeLoader.AB!MSR detection you can see in the lower right side is shown to you by Microsoft Defender. That anti-malware software is good at scanning, but prone to be generally unreliable. It is vulnerable to malware invasions, it has a glitchy user interface and bugged malware removal capabilities. Thus, the pop-up which says about the SmokeLoader is simply an alert that Defender has actually recognized it. To remove it, you will likely need to use another anti-malware program.

TrojanDropper:Win32/SmokeLoader.AB!MSR found

Microsoft Defender: “TrojanDropper:Win32/SmokeLoader.AB!MSR”

The exact TrojanDropper:Win32/SmokeLoader.AB!MSR malware is a really unpleasant thing. This malware is developed to be a stealthy intruder, which acts as a remote-access tool. When you give somebody remote access willingly, it is okay, but SmokeLoader will not ask you if you would like to provide it. After connecting to your system, criminals are free to do whatever they want – grabbing your files, checking out your messages, collecting personal information, et cetera. Backdoors usually carry an additional stealer – the virus that is made to gather all possible data about you. However, far more common use of the backdoors is forming the botnet. After that, the network of infected computers may be put to use to conduct DDoS attacks or to inflate the poll results on various websites.

Backdoor Summary:

Name SmokeLoader Backdoor
Detection TrojanDropper:Win32/SmokeLoader.AB!MSR
Damage Gain access to the operating system to perform various malicious actions.
Similar Msil Androme, Lotok, Quasarrat, Asyncrat, Smokeloader, Msil Dcrat, Rewritehttp, Msil Darkcommet
Fix Tool See If Your System Has Been Affected by SmokeLoader backdoor

SmokeLoader backdoor properties

List of actions done by SmokeLoader.AB!MSR
  • Executable code extraction;
  • Creates RWX memory;
  • Possible date expiration check, exits too soon after checking local time;
  • A process attempted to delay the analysis task.;
  • Attempts to connect to a dead IP:Port (13 unique times);
  • Starts servers listening on 127.0.0.1:0;
  • Reads data out of its own binary image;
  • A process created a hidden window;
  • Drops a binary and executes it;
  • HTTP traffic contains suspicious features which may be indicative of malware related traffic;
  • Performs some HTTP requests;
  • Looks up the external IP address;
  • A scripting utility was executed;
  • Uses Windows utilities for basic functionality;
  • Detects Sandboxie through the presence of a library;
  • Detects Avast Antivirus through the presence of a library;
  • Sniffs keystrokes;
  • Checks for the presence of known windows from debuggers and forensic tools;
  • Steals private information from local Internet browsers;
  • Network activity contains more than one unique useragent.;
  • Exhibits possible ransomware file modification behavior;
  • Writes a potential ransom message to disk;
  • Creates a hidden or system file;
  • Detects VMware through the presence of a registry key;
  • Attempts to modify proxy settings;
  • Attempts to create or modify system certificates;
  • Anomalous binary characteristics;
  • Uses suspicious command line tools or Windows utilities;
Other names for TrojanDropper:Win32/SmokeLoader.AB!MTB
GridinSoft Trojan.Ransom.Gen
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Zenlod.a!c
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Siggen3.2976
ClamAV Win.Packed.Barys-9859531-0
CAT-QuickHeal Trojan.SabsikIH.S21959152
ALYac Gen:Variant.Jaik.45703
Cylance Unsafe
Alibaba Ransom:Win32/Fabookie.f1bf379e
Cyren W32/Kryptik.FFS.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 multiple detections
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
Cynet Malicious (score: 100)
Kaspersky Trojan-Downloader.Win32.Zenlod.lks
BitDefender Gen:Variant.Jaik.45703
NANO-Antivirus Trojan.Win32.Disbuk.jahjfz
MicroWorld-eScan Gen:Variant.Jaik.45703
F-Secure Heuristic.HEUR/AGEN.1142105
BitDefenderTheta Gen:NN.ZedlaF.34142.n88baOE@FOp
McAfee-GW-Edition BehavesLike.Win32.ICLoader.rc
FireEye Generic.mg.6d18c8e8ab9051f7
Emsisoft Gen:Variant.Jaik.45703 (B)
SentinelOne Static AI – Suspicious PE
Avira HEUR/AGEN.1144141
eGambit Unsafe.AI_Score_88%
Antiy-AVL Trojan/Generic.ASMalwS.3454962
Kingsoft Win32.PSWTroj.Undef.(kcloud)
Microsoft TrojanDropper:Win32/SmokeLoader.AB!MSR
Gridinsoft Trojan.Win32.Dropper.ko!s5
Arcabit Trojan.Jaik.DB287
ZoneAlarm Trojan-Downloader.Win32.Zenlod.lks
GData Gen:Variant.Jaik.45703
AhnLab-V3 Dropper/Win.MulDrop.R439720
McAfee Artemis!6D18C8E8AB90
MAX malware (ai score=86)
VBA32 BScope.Trojan.Injector
Malwarebytes Trojan.Dropper.SFX.Generic
Rising Dropper.Agent/NSIS!1.D805 (CLASSIC)
Ikarus Trojan-Downloader.Win32.Agent
Fortinet W32/BSE.4Q7Q!tr
AVG Win32:TrojanX-gen [Trj]
Paloalto generic.ml
Shortly about backdoors

Is TrojanDropper:Win32/SmokeLoader.AB!MSR dangerous?

As I have mentioned before, non-harmful malware does not exist. And TrojanDropper:Win32/SmokeLoader.AB!MSR is not an exclusion. This backdoor does not deal a many harm exactly after it releases. Nevertheless, it will likely be a pretty unpleasant surprise when an occasional forum or site in the Web will not let you in, due to the fact that your IP-address is disallowed after the DDoS attack. But even if it is not critical for you – is it positive in any way to understand that someone else can easily access your PC, read your discussions, open your files, as well as spectate what you do?

The spyware that is usually present as a supplement to the TrojanDropper:Win32/SmokeLoader.AB!MSR virus will be just an additional argument to remove it as fast as you can. Nowadays, when users’ data is valued remarkably high, it is too illogical to grant the burglars such a chance. Even worse if the spyware will in some way handle to take your financial info. Seeing 0 on your savings account is the most awful headache, in my judgement.

How did I get this virus?

It is difficult to trace the origins of malware on your computer. Nowadays, things are mixed, and distribution tactics chosen by adware 5 years ago may be utilized by spyware nowadays. However, if we abstract from the exact distribution tactic and will think of why it has success, the explanation will be quite basic – low level of cybersecurity knowledge. People click on ads on strange sites, click the pop-ups they receive in their browsers, call the “Microsoft tech support” assuming that the weird banner that says about malware is true. It is important to understand what is legitimate – to prevent misunderstandings when trying to identify a virus.

Microsoft Tech Support Scam

Microsoft Tech Support Scam

Nowadays, there are two of the most common methods of malware distribution – lure emails and also injection into a hacked program. While the first one is not so easy to evade – you must know a lot to recognize a fake – the second one is simple to handle: just don’t utilize cracked apps. Torrent-trackers and various other sources of “free” applications (which are, actually, paid, but with a disabled license checking) are really a giveaway place of malware. And TrojanDropper:Win32/SmokeLoader.AB!MSR is just amongst them.

How to remove the TrojanDropper:Win32/SmokeLoader.AB!MSR from my PC?

References

  1. Gossip about the backdoor in Intel processors on Reddit.

About the author

Robert Bailey

Security engineer focused on malware behavior, removal workflows, and Windows hardening. Robert reviews threat articles for practical accuracy, checking detection names, symptoms, and cleanup steps before publication.

View all posts

Leave a Comment