Content
HTool-Pipecmd
- Type
- Program
- SubType
- Tool
- Discovery Date
- 03/01/2010
- Minimum DAT
- 5907 (03/01/2010)
- Updated DAT
- 5907 (03/01/2010)
- Minimum Engine
- 5.3.00
- Description Added
- 03/01/2010
- Description Modified
- 03/04/2010 2:35 AM (PT)
Tab Navigation
Characteristics
Hack tool programs are in themselves, nonviral and generally do not cause harm to the hacker who deploys them. However, deployment of these utilities is usually harmful to the victims of the attacks, and they are usually considered a threat by network administrators.
File Information
- MD5 - D1256A5834513D2587478FCF5A55F0B8
- SHA - E20258DB2171B7F2ED626BF71D3A12BF17291B30
Aliases
- Ikarus - Trojan-Downloader.Agent
- Microsoft - HackTool:Win32/Pipecmd.B
- Nod32 - probably a variant of Win32/TrojanDownloader.Agent
Zcmd.exe htool-pipecmd is a tool that allows attacker to execute commands on the remote or local system.
This hacktool drops the following file into remote or local system in the following location.
- %WinDir%\system32\zCmdSvc.exe
Also, the hack tool using the following network shares to spread the copy into remote or local system.
- IPC$
- ADMIN$
The connection between the attacker and the remote system can be achieved through telnet connection.
The hack tool creates a service named "zCmdSvc" for the dropped file, so that the dropped file executes every time, when windows starts.
Once the user’s system is compromised, the hack tool which act as a client and executes commands on the remote or local system. The dropped file in the remote or local system, which acts as a server and it will perform the commands which it receives from the client.
The commands can be executed with the help of a pipe connection named "zCmd_communicaton".
Symptoms:
- Presence of above mentioned activities.
- Presence of above mentioned files.
Removal
AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.Aliases
Aliases
-
N/A