[Tino Didriksen] > When run, it will create C:\winnt\INF\other regardless of %windir% (an > obvious mistake from the creator), but the BAT files in the dir does > indicate it makes the zombie run at boot. > > Anyways, these files are created for sure: > C:\winnt\INF\other\hide.exe > C:\winnt\INF\other\mdm.exe > C:\winnt\INF\other\psexec.exe > C:\winnt\INF\other\taskmngr.exe > C:\winnt\INF\other\nt32.ini > C:\winnt\INF\other\remote.ini > C:\winnt\INF\other\secureme > C:\winnt\INF\other\win32.mrc > C:\winnt\INF\other\BACKUP.BAT > C:\winnt\INF\other\seced.bat > C:\winnt\INF\other\start.bat > > - hide.exe is used by start.bat to effectively cloak that it's installing > itself. > - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite > innocent otherwise. > - psexec.exe seems to be a remote tool...unknown... This is part of an excellent suite of free command line remote administration tools called Pstools from Sysinternals. http://www.sysinternals.com/ntw2k/utilities.shtml I have seen some of these tools on compromised computers several times, especially psexec.exe, pskill.exe, psloggedon.exe and psinfo.exe. Thanks for your information, BTW. -- Andreas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 11:59:52 PST