I did a Google search but found next to nothing. Anyone know anything about a Windows backdoor service with the following files:
systemcheck/systemspool.dll
systemcheck/SystemSpool_dll.ocx
systemcheck/SystemSpool_dll.ocx
Thanks
Printable View
I did a Google search but found next to nothing. Anyone know anything about a Windows backdoor service with the following files:
systemcheck/systemspool.dll
systemcheck/SystemSpool_dll.ocx
systemcheck/SystemSpool_dll.ocx
Thanks
Iron:
I'd suggest there is something odd where two files called "systemcheck/SystemSpool_dll.ocx" seem to be able to occupy the same location. Or am I missing something?
Oops, I ment to copy and paste "systemspool.ocx"
would that also be why your Google Search failed..... ;)
Try this
That looks like it may be it. Here are some other files in the same directory, many of which I already know the function of.
C:\winnt\system32\systemcheck>dir /b /p
files
galaxy
pskill.exe
pslist.exe
speedsuite
systemspool.dll
systemspool.ocx
SystemSpool_dll.ocx
C:\winnt\system32\systemcheck>dir /p
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\winnt\system32\systemcheck
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
01/18/2005 11:13 AM <DIR> files
01/18/2005 11:12 AM <DIR> galaxy
01/12/2005 10:13 AM 90,112 pskill.exe
01/12/2005 10:13 AM 86,016 pslist.exe
01/18/2005 11:12 AM <DIR> speedsuite
01/12/2005 10:13 AM 603,136 systemspool.dll
01/16/2005 05:14 PM 2,387 systemspool.ocx
01/12/2005 10:13 AM 745 SystemSpool_dll.ocx
5 File(s) 782,396 bytes
5 Dir(s) 13,389,078,528 bytes free
C:\winnt\system32\systemcheck>dir /s
Volume in drive C has no label.
Volume Serial Number is 40CC-B506
Directory of C:\winnt\system32\systemcheck
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
01/18/2005 11:13 AM <DIR> files
01/18/2005 11:12 AM <DIR> galaxy
01/12/2005 10:13 AM 90,112 pskill.exe
01/12/2005 10:13 AM 86,016 pslist.exe
01/18/2005 11:12 AM <DIR> speedsuite
01/12/2005 10:13 AM 603,136 systemspool.dll
01/16/2005 05:14 PM 2,387 systemspool.ocx
01/12/2005 10:13 AM 745 SystemSpool_dll.ocx
5 File(s) 782,396 bytes
Directory of C:\winnt\system32\systemcheck\files
01/18/2005 11:13 AM <DIR> .
01/18/2005 11:13 AM <DIR> ..
0 File(s) 0 bytes
Directory of C:\winnt\system32\systemcheck\galaxy
01/18/2005 11:12 AM <DIR> .
01/18/2005 11:12 AM <DIR> ..
01/12/2005 02:14 PM 114,688 Fport.exe
01/12/2005 02:08 PM 29,696 hidden32.exe
01/12/2005 02:19 PM 604 pass.txt
01/12/2005 02:15 PM 20 pid.bat
01/12/2005 02:15 PM 17,089 pid.txt
01/12/2005 02:19 PM 25 pwdump.bat
01/12/2005 02:07 PM 19,456 pwdump2.exe
01/12/2005 02:08 PM 19,968 samdump.dll
01/12/2005 02:08 PM 17,920 TLIST.EXE
9 File(s) 219,466 bytes
Directory of C:\winnt\system32\systemcheck\speedsuite
01/18/2005 11:12 AM <DIR> .
01/18/2005 11:12 AM <DIR> ..
01/12/2005 02:07 PM 66 ftpam.cmds
01/12/2005 02:07 PM 61 ftpar.cmds
01/12/2005 02:07 PM 39,184 ftpc.exe
01/12/2005 02:07 PM 73 ftpch.cmds
01/12/2005 02:07 PM 85 ftpdd.cmds
01/12/2005 02:07 PM 47 ftper.cmds
01/12/2005 02:07 PM 82 ftpnl.cmds
01/12/2005 02:07 PM 48 ftpob.cmds
01/12/2005 02:07 PM 92 ftpsg.cmds
01/12/2005 02:38 PM 10,148 info.txt
01/12/2005 02:07 PM 131,072 psinfo.exe
01/12/2005 02:07 PM 86,016 pslist.exe
01/12/2005 02:07 PM 51 speed.bat
01/12/2005 02:08 PM 54,453 speed.eu.exe
01/12/2005 02:08 PM 75,341 speed.exe
01/12/2005 02:08 PM 55,008 speed.us.exe
01/12/2005 02:08 PM 13,230 speedsuite.bat
01/12/2005 02:08 PM 498 speedtest.log
01/12/2005 02:31 PM 1,506 Status-32of45
01/12/2005 02:38 PM 430 Status-44of45
01/12/2005 02:38 PM 2,428 Status-45of45
21 File(s) 469,919 bytes
Total Files Listed:
35 File(s) 1,471,781 bytes
11 Dir(s) 13,389,078,528 bytes free
C:\winnt\system32\systemcheck>
This looks a lot like an owned box that may still be being "worked on"
I'd love to see some of those bat and txt file... any chance of zipping them up and eithe rpostin gthem or PMing them?
Irongeek, doing a quick search of one of the files (ftpch.cmds) produced this:
http://lists.freebsd.org/pipermail/f...il/044143.html
I think my last PM to you would support this. I think it's one of those FXP (??) servers (server-to-server transfer of info/files)
I posted all the files in Addicts for those that want to see them:
http://www.antionline.com/showthread...hreadid=265388
I replied there... Probably should have done the reply here. Oh well.... ;)
why don't you search security focus ?
www.securityfocus.com
they hold the latest security topics regarding windows and linux if thats what you want .