Security Incidents mailing list archives

RE: Can anyone identify this backdoor?

From: "Ian Webb" <iwebb () carolina rr com>
Date: Mon, 22 Jul 2002 01:34:56 -0400

The cmd.exe in cc.zip is the cmd.exe from NT4 SP6a. I just did a FC on a
copy extracted from the Service Pack and it's exactly the same.

-----Original Message-----
From: Richard Bartlett [mailto:richard () hackerimmunity demon co uk] 
Sent: Thursday, July 11, 2002 6:33 PM
To: Matt Andreko; incidents () securityfocus com
Subject: RE: Can anyone identify this backdoor?

Matt,

I've done a quick analysis on this and come up with the following;

<snip>
 C:\recycler\CMD.EXE (possibley geniune cmd.exe from a version of
NT/2K/XP,
source unknown)


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Can anyone identify this backdoor? Matt Andreko (Jul 10)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)
  - Re: Can anyone identify this backdoor? Ryan Russell (Jul 11)
- RE: Can anyone identify this backdoor? Matt Andreko (Jul 11)
  - Re: Can anyone identify this backdoor? Matt Scarborough (Jul 12)
- Re: Can anyone identify this backdoor? shawn merdinger (Jul 11)
- RE: Can anyone identify this backdoor? Erick Arturo Perez Huemer (Jul 11)
- RE: Can anyone identify this backdoor? Richard Bartlett (Jul 11)
  - RE: Can anyone identify this backdoor? Ian Webb (Jul 22)
- Re: Can anyone identify this backdoor? Mark Shirley (Jul 12)
- <Possible follow-ups>
- Re: Can anyone identify this backdoor? Jhon Q Doe (Jul 11)
- Re: Can anyone identify this backdoor? David Jacoby (Jul 11)