Security Incidents mailing list archives

Re: Windows 2k rootkit incident, files zipped for your pleasure.

From: <defaillance () hushmail com>
Date: Fri, 13 Jun 2003 09:14:47 -0700


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

looks like HXDEF from http://rootkit.host.sk, the main part of the rootkit
read its configuration from rtkit.ini, where hidden regkeys, services
and hidden file prefix is defined. its been packet with few batch file
to bench the speed of the compromised host, maybe in order to serve Warez
later.

the backdoor it install by default can only be accessed with a special
client, server side is waiting for specially crafted ICMP packet on any
listening port i believe...

AFAIk the code is based on IErk.sys
maybe somting else.

Matt~
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj7p+H0ACgkQAKqWCZYfH8XCBACglTMA3w7ZQ/8VoEOVhuHcvqRxfMoA
njoHvxztQTXFZQmAHBRvY1JLP0ep
=m/XG
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Windows 2k rootkit incident, files zipped for your pleasure. Drew Weaver (Jun 12)
- Re: Windows 2k rootkit incident, files zipped for your pleasure. John Ives (Jun 12)
- RE: Windows 2k rootkit incident, files zipped for your pleasure. Dan Perez (Jun 13)
- <Possible follow-ups>
- Re: Windows 2k rootkit incident, files zipped for your pleasure. defaillance (Jun 13)