HackTool.Linux.WinExe.A
HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY)
Linux
Type de grayware:
Hacking Tool
Destructif:
Non
Chiffrement:
Non
In the wild::
Oui
Overview
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Détails techniques
Übertragungsdetails
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Andere Details
Es macht Folgendes:
- It checks for the following service name if present in the system:
- Service Name: winexesvc
- It connects to the following pipe names which allows command executions:
- \ahexec
- \ahexec_stdin
- \ahexec_stdout
- \ahexec_stderr
- It does the following host commands:
- Usage:
- --reinstall ← Reinstalls winexe service before remote execution
- --system ← Uses SYSTEM account
- --runas={DOMAIN\USERNAME}{%PASSWORD} ← Run as user and password is sent in clear text over net
- --runas-file={FILE} ← Run as user options define in a file
- --interactive={0 or 1} ← Toggle desktop interaction
- 0 - disallow
- 1 - allow
If interactive=1, use also --system switch {Win Requirement}
- --ostype = {0, 1, or 2} ← Operating System type
- 0 - 32bit
- 1 - 64bit
- 2 - winexe will decide by determining which version (32bit/64bit) of service will be installed
- Common Samba Options:
- -d or --debuglevel={DEBUG LEVEL} ← Sets the debug level
- -s or --configfile={CONFIG FILE} ← Uses an alternative configuration file
- -l or --log-basename={LOG FILE BASE} ← Basename for log/debug files
- --debug-stderr ← Sends the debug output to STDERR
- --option=name=value ← Sets smb.conf option from command line
- --leak-report ← Enables talloc leak reporting on exit
- --leak-report-full ← Enable full talloc leak reporting on exit
- Connection Options:
- -R or --name-resolve={NAME-RESOLVE-ORDER} ← Uses these name resolution services only
- -O or --socket-options={SOCKET OPTIONS} ← Defines the socket options to use
- -n or --netbiosname={NET BIOS NAME} ← Sets the primary Netbios name
- -S or --signing={ON, OFF or REQUIRED} ← Sets the client signing state
- -W or --workgroup={WORKGROUP} ← Sets the Workgroup name
- -i or --scope={SCOPE} ← Defines the Netbios scope
- -m or --maxprotocol={MAX PROTOCOL} ← Sets max protocol level
- -V or --version ← Prints version
- --realm={REALM} ← Sets the realm name
- Authentication Options:
- -U or --user={DOMAIN/USERNAME}{%PASSWORD} ← Sets the network username
- -N or --no-pass ← No password required
- -A or --authentication-file={FILE} ← Gets the credentials from a file
- -P or --machine-pass ← Uses stored machine account password
- -k or --kerberos={STRING} ← Uses Kerberos
- --password={STRING} ← Sets the network password
- --simple-bind-dn={STRING} ← Sets the LDAP user distinguished name (DN) to use for simple bind
- Usage:
Solutions
Step 2
Durchsuchen Sie Ihren Computer mit Ihrem Trend Micro Produkt, und löschen Sie Dateien, die als HackTool.Linux.WinExe.A entdeckt werden. Falls die entdeckten Dateien bereits von Ihrem Trend Micro Produkt gesäubert, gelöscht oder in Quarantäne verschoben wurden, sind keine weiteren Schritte erforderlich. Dateien in Quarantäne können einfach gelöscht werden. Auf dieser Knowledge-Base-Seite finden Sie weitere Informationen.
Participez à notre enquête!