Content

HTool-Pipecmd

Type
Program
SubType
Tool
Discovery Date
03/01/2010
Length
Minimum DAT
5907 (03/01/2010)
Updated DAT
6218 (01/06/2011)
Minimum Engine
5.3.00
Description Added
03/01/2010
Description Modified
03/04/2010 2:35 AM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

Hack tool programs are in themselves, nonviral and generally do not cause harm to the hacker who deploys them. However, deployment of these utilities is usually harmful to the victims of the attacks, and they are usually considered a threat by network administrators.

File Information

  • MD5 - D1256A5834513D2587478FCF5A55F0B8
  • SHA - E20258DB2171B7F2ED626BF71D3A12BF17291B30

Aliases
  • Ikarus - Trojan-Downloader.Agent
  • Microsoft - HackTool:Win32/Pipecmd.B
  • Nod32 - probably a variant of Win32/TrojanDownloader.Agent

Zcmd.exe htool-pipecmd is a tool that allows attacker to execute commands on the remote or local system.

This hacktool drops the following file into remote or local system in the following location.

  • %WinDir%\system32\zCmdSvc.exe

Also, the hack tool using the following network shares to spread the copy into remote or local system.

  • IPC$
  • ADMIN$

The connection between the attacker and the remote system can be achieved through telnet connection.

The hack tool creates a service named "zCmdSvc" for the dropped file, so that the dropped file executes every time, when windows starts.

Once the user’s system is compromised, the hack tool which act as a client and executes commands on the remote or local system. The dropped file in the remote or local system, which acts as a server and it will perform the commands which it receives from the client.

The commands can be executed with the help of a pipe connection named "zCmd_communicaton".

Symptoms:
  • Presence of above mentioned activities.
  • Presence of above mentioned files.

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

Hack tool programs are in themselves, nonviral and generally do not cause harm to the hacker who deploys them. However, deployment of these utilities is usually harmful to the victims of the attacks, and they are usually considered a threat by network administrators.

File Information

  • MD5 - D1256A5834513D2587478FCF5A55F0B8
  • SHA - E20258DB2171B7F2ED626BF71D3A12BF17291B30

Aliases
  • Ikarus - Trojan-Downloader.Agent
  • Microsoft - HackTool:Win32/Pipecmd.B
  • Nod32 - probably a variant of Win32/TrojanDownloader.Agent

Zcmd.exe htool-pipecmd is a tool that allows attacker to execute commands on the remote or local system.

This hacktool drops the following file into remote or local system in the following location.

  • %WinDir%\system32\zCmdSvc.exe

Also, the hack tool using the following network shares to spread the copy into remote or local system.

  • IPC$
  • ADMIN$

The connection between the attacker and the remote system can be achieved through telnet connection.

The hack tool creates a service named "zCmdSvc" for the dropped file, so that the dropped file executes every time, when windows starts.

Once the user’s system is compromised, the hack tool which act as a client and executes commands on the remote or local system. The dropped file in the remote or local system, which acts as a server and it will perform the commands which it receives from the client.

The commands can be executed with the help of a pipe connection named "zCmd_communicaton".

Symptoms:
  • Presence of above mentioned activities.
  • Presence of above mentioned files.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore (Windows ME/XP only).

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

General repair may be unsuccessful in some instances. If this occurs, please submit a sample for further evaluation.

Variants

Variants -

    N/A