Re: W2K Compromise - PipeCmdSrv

From: woofzat_private
Date: Mon Oct 07 2002 - 17:18:26 PDT

Next message: Neil Dickey: "Re: Forensics CD (was: Re: Strange Folder"

Previous message: Meritt James: "Forensics CD (was: Re: Strange Folder"
Maybe in reply to: Philip: "W2K Compromise - PipeCmdSrv"
Next in thread: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <200210052227.28594.erikat_private> Hi guys, here's my take. Attached ( http://lightning.prohosting.com/~woof/temp/wserver.zip ) are the files found in a compromised Win2000 Pro. machine, resided in c:\drivers & c:\winnt\system32 folders. The system didn’t enforce a administrator account password, it is blank. :P Once the payload wserver.exe is executed (packed by instyler ex-it! from www.instyler.com ) , it will dump several files to c:\winnt\system\ and added a registry entry to run explored.exe in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” Viewing wserver.exe with a hex editor, found these were the files dumped: %windowssystem%\Explored.exe %windowssystem%\aliases.ini %windowssystem%\bnc.mrc %windowssystem%\cscan.dat %windowssystem%\download.ini %windowssystem%\Explored.exe %windowssystem%\ie6.dat %windowssystem%\kernel33.exe %windowssystem%\mirc.ini %windowssystem%\moo.dll %windowssystem%\remote.ini %windowssystem%\webget.mrc %windowssystem%\winboot.bin %windowssystem%\wincfg %windowssystem%\winconf.dat %windowssystem%\winconf.mrc kernel33.exe is detected as a IRC/BackDoor.Flood virus. The explored.exe was packed by UPX ( http://upx.sourceforge.net ) , look like it is a mirc executable . Looking at mirc.ini , here are the IRC server, files & scripts been referenced: host=itg.kicks-ass.netSERVER:itg.kicks-ass.net:6667 nick=Owned[14450] [afiles] n0=aliases.ini [rfiles] n0=remote.ini n1=remote.ini n2=wincfg n3=winconf.mrc n4=cscan.dat n5=bnc.mrc n6=webget.mrc n7=share.dat Inspecting the shared.dat , it will trigger share.bat through Wscript.Shell object using the Microsoft Windows Scripting Host. But I can’t detect these PipeCmdSrv.exe & ntcmd.exe been deployed from which source.... Sorry, i not a IRC freak & code guru to take a deep look,anyone can shred more light how the whole thing works? :) Cheers, Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Neil Dickey: "Re: Forensics CD (was: Re: Strange Folder"
Previous message: Meritt James: "Forensics CD (was: Re: Strange Folder"
Maybe in reply to: Philip: "W2K Compromise - PipeCmdSrv"
Next in thread: woofzat_private: "Re: W2K Compromise - PipeCmdSrv"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 07 2002 - 18:48:11 PDT