Learn how to a build a cloud-first strategyRegister Now


HAX.BAT found in infection

Posted on 2003-11-05
Medium Priority
Last Modified: 2010-05-18
Anyone ever seen anything like this?
Infection june/july 2003

Looking for information to help this user:

"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file.  In addition, virus software and firewall software was stopped.  Activation of the ftp service occurred on Oct. 15.  These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet

Question by:lrmoore
  • 4
  • 2
  • 2
  • +4
LVL 79

Author Comment

ID: 9688145
I'm not directly involved with this outbreak, just trying to lend a hand to figure out where it came from.
Trust me, I know all about the spyware/adware/trojan hunter software and online scanning.
Cleaning up is not the problem. Getting the infection has increased client's awareness of need for multi-layers of protection.

Where did this come from? Has anyone identified this particular strain? I'm looking for someone with direct experience with this particular virus/worm.

There is nothing on the net about this particular infection. Do a google search for "hax.bat" and nada...
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 67

Accepted Solution

sirbounty earned 800 total points
ID: 9688168
Almost sounds like something/one internal. . .
Anyone in IT been told their job's being downsized?

Expert Comment

ID: 9688521
It's can be just backdoor.
Some one created this file and left in the machine.
Try to enable firewall and maybe someone try to connect to programs.

Assisted Solution

TooKoolKris earned 400 total points
ID: 9689241
First of all, it's not necessarily a trojan or a virus. It's simply a batch file that anyone with batch coding skills could create. I'm with Sirbounty on the fact that there is no info on the file out on the Internet and this should reasonably point to an inside job. The programs that you say are being installed, where do they reside? Did the bat file come with all this software as well or was it sent via the FTP created? Do a search on this pc for all text files and examine the ones that look funny. Those key loggers normally keep their logs in text format on the pc before they email them off. See if there is a config file for the key logger as well you might be able to find out where the info is being sent if this person is dumb enough.

Check the IIS logs to see if there are any that exist for connections to the FTP server that was created.

Check the registry to see if there are any records of remote mapping. My guess is if someone from the inside did this it was probably done from across the network and there may be a record of the mapped drive used to copy the file to the pc. I'm assuming you have already gone through the event logs.

LVL 49

Assisted Solution

sunray_2003 earned 400 total points
ID: 9693635

>> Where did this come from

I think it may not be very easy to answer this particular one. Generally , I have seen virus or worm come into the system by exchanging floppy disks from other computers.Now-a-days , with internet being very popular , I would guess it would have entered the system through the network......  Esp if you had read about MS blaster worm , you know the moment you hook your systemt to the network card and the network is already contaminated with the worm, your system shuts down.

That's why at the first place i expected spywares /adwares/pop-ups to bring in that particular virus or worm to your system

Also check to see any p2p programs in the system.......

I am totally leaning towards the side that it a virus or worm .. I am just guessing the worst scenario

The way it is described in your question , I think the same way as TooKoolkris , some bat file made to run at a certain time .....


Expert Comment

ID: 9697362
Is this the same one from the security focus incidents mailing list?
LVL 79

Author Comment

ID: 9697772
Yes. They are right in my backyard and I'd like to help...
LVL 18

Assisted Solution

chicagoan earned 400 total points
ID: 9699522
reminiscent of W32.Tkbot.Worm ... was IRC running on these machines?
take a look at a another report: http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0121.html
LVL 18

Expert Comment

ID: 9730998
Did you make any progress on your new friend?
LVL 79

Author Comment

ID: 9731152
Unfortunately, they have not responded to any of my querries...
Our liason is just back from vacation, so ......

LVL 79

Author Comment

ID: 9782174
No responses from my 'new friend', so I can't get any more information.

It was worth a shot, and I appreciate the responses.

I'm going with the feeling that it was an inside job with a custom script. Since this was a university, perhaps a disgruntled student...

That's my story, and I'm sticking to it!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question