HAX.BAT found in infection
Posted on 2003-11-05
Anyone ever seen anything like this?
Infection june/july 2003
Looking for information to help this user:
"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it. Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file. In addition, virus software and firewall software was stopped. Activation of the ftp service occurred on Oct. 15. These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet