EvilFTP
------------

CVE: 
CAN-1999-0660


Details:
EvilFTP has been found running on on this host. EvilFTP sets up an FTP 
server on the target machine which allows the attacker to upload an download 
files. It is also possible for the attacker to spawn programs on the target 
machine. The default port EvilFTP listens on is TCP 23456. This port cannot 
be changed. EvilFTP is known to run on Windows 9x, NT4, and 2000 systems.


Fix:
To remove EvilFTP from a Windows 9x machine, first open the 
c:\windows\win.ini file and remove the line:

Run="c:\windows\system\msrun.exe"

After removing the win.ini entry, you must restart your system.
After the restart, remove the file:

c:\windows\system\msrun.exe

To remove EvilFTP from a Windows NT or 2000 machine, open regedit and remove
the "run" registry value which contains the data "C:\winnt\system32\msrun.exe" 
if it exists in the following path:

HKEY_Local_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Then delete the file "msrun.exe" in the path C:\winnt\system32.
Last but not least, kill the msrun.exe process in the task manager.


Related URLs:
http://www.simovits.com/trojans/tr_data/y415.html


$Id: evilftp,v 1.4 2001/07/03 16:14:49 ccoffin Exp $

