RE: Can anyone identify this backdoor?

["Erick Arturo Perez Huemer" <eperez () compuservice net>]

Just to let you know (and the list)
The cc.zip has a file named hk.exe
It has the TROJ.HK.A trojan/virus on it.


Erick A. Perez H.


> -----Original Message-----
> From: Matt Andreko [mailto:mandreko () ori net] 
> Sent: Miercoles, 10 de Julio de 2002 04:58 p.m.
> To: incidents () securityfocus com
> Subject: Can anyone identify this backdoor?
>
>
> Apparently over the holiday, one of my client's machines was 
> broken into.  It was running Windows 2000 Pro, with IIS 
> installed (webserver only, no ftp,smtp..)  Apparently the 
> attacker got in through this.  The logs show some Unicode in 
> the requests, so I'd bet that's it.  
>
> A file was deposited in the c:\winnt\system32\ folder named 
> "cc.exe".  I have studied it a little bit, and it seems quite 
> interesting.  It's actually a winrar self-executable file.  
> Inside contains what I believe a stripped down copy of serv-u 
> ftp server, messages for that server, and some other 
> interesting tools.  There's a cmd.exe file, which doesn't 
> match the size of the one in c:\winnt\system32, so it could 
> be backdoored.
>
> I was basically wondering if anyone had seen anything like 
> it, or could identify it.  I have put a copy up temporarily 
> on my webserver at http://www.criminalsmostly.com/~mandreko/cc.zip 
>
>
>
>
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer 
> service. For more information on this free incident handling, 
> management 
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com