Re: mIRC Zombie, port 445

From: Andreas Str|m (
Date: 01/22/03

  • Next message: Michael LaSalvia: "RE: mIRC Zombie, port 445"
    Date: Wed, 22 Jan 2003 10:49:18 +0100
    From: Andreas Str|m <>
    To: Tino Didriksen <>

    [Tino Didriksen]

    > When run, it will create C:\winnt\INF\other regardless of %windir% (an
    > obvious mistake from the creator), but the BAT files in the dir does
    > indicate it makes the zombie run at boot.
    > Anyways, these files are created for sure:
    > C:\winnt\INF\other\hide.exe
    > C:\winnt\INF\other\mdm.exe
    > C:\winnt\INF\other\psexec.exe
    > C:\winnt\INF\other\taskmngr.exe
    > C:\winnt\INF\other\nt32.ini
    > C:\winnt\INF\other\remote.ini
    > C:\winnt\INF\other\secureme
    > C:\winnt\INF\other\win32.mrc
    > C:\winnt\INF\other\BACKUP.BAT
    > C:\winnt\INF\other\seced.bat
    > C:\winnt\INF\other\start.bat
    > - hide.exe is used by start.bat to effectively cloak that it's installing
    > itself.
    > - mdm.exe is in reality HideWindow by Adrian Lopez, but he's quite
    > innocent otherwise.
    > - psexec.exe seems to be a remote tool...unknown...

    This is part of an excellent suite of free command line remote
    administration tools called Pstools from Sysinternals.

    I have seen some of these tools on compromised computers several
    times, especially psexec.exe, pskill.exe, psloggedon.exe and

    Thanks for your information, BTW.

    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: