Re: mIRC Zombie, port 445

From: Andreas Str|m (andreas.strom@usit.uio.no)
Date: 01/22/03

  • Next message: Michael LaSalvia: "RE: mIRC Zombie, port 445" 
    Date: Wed, 22 Jan 2003 10:49:18 +0100
From: Andreas Str|m <andreas.strom@usit.uio.no>
To: Tino Didriksen <sfo@projectjj.dk>

    [Tino Didriksen]

    > When run, it will create C:\winnt\INF\other regardless of %windir% (an
    > obvious mistake from the creator), but the BAT files in the dir does
    > indicate it makes the zombie run at boot.
    >
    > Anyways, these files are created for sure:
    > C:\winnt\INF\other\hide.exe
    > C:\winnt\INF\other\mdm.exe
    > C:\winnt\INF\other\psexec.exe
    > C:\winnt\INF\other\taskmngr.exe
    > C:\winnt\INF\other\nt32.ini
    > C:\winnt\INF\other\remote.ini
    > C:\winnt\INF\other\secureme
    > C:\winnt\INF\other\win32.mrc
    > C:\winnt\INF\other\BACKUP.BAT
    > C:\winnt\INF\other\seced.bat
    > C:\winnt\INF\other\start.bat
    >
    > - hide.exe is used by start.bat to effectively cloak that it's installing
    > itself.
    > - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite
    > innocent otherwise.
    > - psexec.exe seems to be a remote tool...unknown...

    This is part of an excellent suite of free command line remote
    administration tools called Pstools from Sysinternals.

    http://www.sysinternals.com/ntw2k/utilities.shtml

    I have seen some of these tools on compromised computers several
    times, especially psexec.exe, pskill.exe, psloggedon.exe and
    psinfo.exe.

    Thanks for your information, BTW. 

    -- 
Andreas
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com