Security Incidents mailing list archives
Re: W2K Compromise - PipeCmdSrv
From: <woofz () gmx net>
Date: 8 Oct 2002 00:18:26 -0000
In-Reply-To: <200210052227.28594.erik () sperling no> Hi guys, here's my take. Attached ( http://lightning.prohosting.com/~woof/temp/wserver.zip ) are the files found in a compromised Win2000 Pro. machine, resided in c:\drivers & c:\winnt\system32 folders. The system didnt enforce a administrator account password, it is blank. :P Once the payload wserver.exe is executed (packed by instyler ex-it! from www.instyler.com ) , it will dump several files to c:\winnt\system\ and added a registry entry to run explored.exe in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run Viewing wserver.exe with a hex editor, found these were the files dumped: %windowssystem%\Explored.exe %windowssystem%\aliases.ini %windowssystem%\bnc.mrc %windowssystem%\cscan.dat %windowssystem%\download.ini %windowssystem%\Explored.exe %windowssystem%\ie6.dat %windowssystem%\kernel33.exe %windowssystem%\mirc.ini %windowssystem%\moo.dll %windowssystem%\remote.ini %windowssystem%\webget.mrc %windowssystem%\winboot.bin %windowssystem%\wincfg %windowssystem%\winconf.dat %windowssystem%\winconf.mrc kernel33.exe is detected as a IRC/BackDoor.Flood virus. The explored.exe was packed by UPX ( http://upx.sourceforge.net ) , look like it is a mirc executable . Looking at mirc.ini , here are the IRC server, files & scripts been referenced: host=itg.kicks-ass.netSERVER:itg.kicks-ass.net:6667 nick=Owned[14450] [afiles] n0=aliases.ini [rfiles] n0=remote.ini n1=remote.ini n2=wincfg n3=winconf.mrc n4=cscan.dat n5=bnc.mrc n6=webget.mrc n7=share.dat Inspecting the shared.dat , it will trigger share.bat through Wscript.Shell object using the Microsoft Windows Scripting Host. But I cant detect these PipeCmdSrv.exe & ntcmd.exe been deployed from which source.... Sorry, i not a IRC freak & code guru to take a deep look,anyone can shred more light how the whole thing works? :) Cheers, Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- W2K Compromise - PipeCmdSrv Philip (Oct 01)
- <Possible follow-ups>
- Re: W2K Compromise - PipeCmdSrv Curt Wilson (Oct 05)
- Re: W2K Compromise - PipeCmdSrv Erik Sperling Johansen (Oct 05)
- Re: W2K Compromise - PipeCmdSrv woofz (Oct 07)
- Re: W2K Compromise - PipeCmdSrv woofz (Oct 08)
- Re: W2K Compromise - PipeCmdSrv sfuston (Oct 20)
- Re: W2K Compromise - PipeCmdSrv H C (Oct 21)