HAX.BAT found in infection

Anyone ever seen anything like this?
Infection june/july 2003

Looking for information to help this user:

"hax.bat" was placed on the victim machines, and the scheduler was set to invoke it.  Hax.bat was evidently invoked late Oct. 4 or early Oct. 5 and this program installed several things including a keyboard logger (winsecure.exe), vnc server (netsrc.exe), hidden ftp server listening on port 81 and/or 43958, and an account was created called AdminBackupexec, a remote admnistration server called r_server was installed. The last line in the file "hax.bat" was supposed to delete the file, but we found one victim machine on which delete failed, so have a copy of this file.  In addition, virus software and firewall software was stopped.  Activation of the ftp service occurred on Oct. 15.  These systems have also been seen to begin scanning for real servers and apache vulnerabilities. We have not been able to find information on this on the internet

LVL 79
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreAuthor Commented:
I'm not directly involved with this outbreak, just trying to lend a hand to figure out where it came from.
Trust me, I know all about the spyware/adware/trojan hunter software and online scanning.
Cleaning up is not the problem. Getting the infection has increased client's awareness of need for multi-layers of protection.

Where did this come from? Has anyone identified this particular strain? I'm looking for someone with direct experience with this particular virus/worm.

There is nothing on the net about this particular infection. Do a google search for "hax.bat" and nada...
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Almost sounds like something/one internal. . .
Anyone in IT been told their job's being downsized?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's can be just backdoor.
Some one created this file and left in the machine.
Try to enable firewall and maybe someone try to connect to programs.
First of all, it's not necessarily a trojan or a virus. It's simply a batch file that anyone with batch coding skills could create. I'm with Sirbounty on the fact that there is no info on the file out on the Internet and this should reasonably point to an inside job. The programs that you say are being installed, where do they reside? Did the bat file come with all this software as well or was it sent via the FTP created? Do a search on this pc for all text files and examine the ones that look funny. Those key loggers normally keep their logs in text format on the pc before they email them off. See if there is a config file for the key logger as well you might be able to find out where the info is being sent if this person is dumb enough.

Check the IIS logs to see if there are any that exist for connections to the FTP server that was created.

Check the registry to see if there are any records of remote mapping. My guess is if someone from the inside did this it was probably done from across the network and there may be a record of the mapped drive used to copy the file to the pc. I'm assuming you have already gone through the event logs.


>> Where did this come from

I think it may not be very easy to answer this particular one. Generally , I have seen virus or worm come into the system by exchanging floppy disks from other computers.Now-a-days , with internet being very popular , I would guess it would have entered the system through the network......  Esp if you had read about MS blaster worm , you know the moment you hook your systemt to the network card and the network is already contaminated with the worm, your system shuts down.

That's why at the first place i expected spywares /adwares/pop-ups to bring in that particular virus or worm to your system

Also check to see any p2p programs in the system.......

I am totally leaning towards the side that it a virus or worm .. I am just guessing the worst scenario

The way it is described in your question , I think the same way as TooKoolkris , some bat file made to run at a certain time .....

Is this the same one from the security focus incidents mailing list?
lrmooreAuthor Commented:
Yes. They are right in my backyard and I'd like to help...
reminiscent of W32.Tkbot.Worm ... was IRC running on these machines?
take a look at a another report: http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0121.html
Did you make any progress on your new friend?
lrmooreAuthor Commented:
Unfortunately, they have not responded to any of my querries...
Our liason is just back from vacation, so ......

lrmooreAuthor Commented:
No responses from my 'new friend', so I can't get any more information.

It was worth a shot, and I appreciate the responses.

I'm going with the feeling that it was an inside job with a custom script. Since this was a university, perhaps a disgruntled student...

That's my story, and I'm sticking to it!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.