HackTool.Linux.WinExe.A
HEUR:RemoteAdmin.Linux.Winexe.a (KASPERSKY)
Linux
Threat Type:
Hacking Tool
Destructiveness:
No
Encrypted:
No
In the wild::
Yes
OVERVIEW
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Detalles de entrada
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Otros detalles
Hace lo siguiente:
- It checks for the following service name if present in the system:
- Service Name: winexesvc
- It connects to the following pipe names which allows command executions:
- \ahexec
- \ahexec_stdin
- \ahexec_stdout
- \ahexec_stderr
- It does the following host commands:
- Usage:
- --reinstall ← Reinstalls winexe service before remote execution
- --system ← Uses SYSTEM account
- --runas={DOMAIN\USERNAME}{%PASSWORD} ← Run as user and password is sent in clear text over net
- --runas-file={FILE} ← Run as user options define in a file
- --interactive={0 or 1} ← Toggle desktop interaction
- 0 - disallow
- 1 - allow
If interactive=1, use also --system switch {Win Requirement}
- --ostype = {0, 1, or 2} ← Operating System type
- 0 - 32bit
- 1 - 64bit
- 2 - winexe will decide by determining which version (32bit/64bit) of service will be installed
- Common Samba Options:
- -d or --debuglevel={DEBUG LEVEL} ← Sets the debug level
- -s or --configfile={CONFIG FILE} ← Uses an alternative configuration file
- -l or --log-basename={LOG FILE BASE} ← Basename for log/debug files
- --debug-stderr ← Sends the debug output to STDERR
- --option=name=value ← Sets smb.conf option from command line
- --leak-report ← Enables talloc leak reporting on exit
- --leak-report-full ← Enable full talloc leak reporting on exit
- Connection Options:
- -R or --name-resolve={NAME-RESOLVE-ORDER} ← Uses these name resolution services only
- -O or --socket-options={SOCKET OPTIONS} ← Defines the socket options to use
- -n or --netbiosname={NET BIOS NAME} ← Sets the primary Netbios name
- -S or --signing={ON, OFF or REQUIRED} ← Sets the client signing state
- -W or --workgroup={WORKGROUP} ← Sets the Workgroup name
- -i or --scope={SCOPE} ← Defines the Netbios scope
- -m or --maxprotocol={MAX PROTOCOL} ← Sets max protocol level
- -V or --version ← Prints version
- --realm={REALM} ← Sets the realm name
- Authentication Options:
- -U or --user={DOMAIN/USERNAME}{%PASSWORD} ← Sets the network username
- -N or --no-pass ← No password required
- -A or --authentication-file={FILE} ← Gets the credentials from a file
- -P or --machine-pass ← Uses stored machine account password
- -k or --kerberos={STRING} ← Uses Kerberos
- --password={STRING} ← Sets the network password
- --simple-bind-dn={STRING} ← Sets the LDAP user distinguished name (DN) to use for simple bind
- Usage:
SOLUTION
Step 2
Explorar el equipo con su producto de Trend Micro para eliminar los archivos detectados como HackTool.Linux.WinExe.A En caso de que el producto de Trend Micro ya haya limpiado, eliminado o puesto en cuarentena los archivos detectados, no serán necesarios más pasos. Puede optar simplemente por eliminar los archivos en cuarentena. Consulte esta página de Base de conocimientos para obtener más información.
Did this description help? Tell us how we did.