BAT_SERVU.A

Malware type: Batch File

Aliases: Trojan.BAT.Zapchast (Kaspersky), IRC/Flood.bat.i (McAfee), BAT.Trojan (Symantec), BAT/NoShareDrive.O (Avira), Bat/Botsecure-A (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows NT, 2000

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Low

Description: 

This is Trend Micros detection for the batch file components of the IRC malware package IRC_SERVU.A. The malware package uses legitimate programs to perform its malicious tasks. The malware turns an infected machine into an FTP server, allowing a remote malicious user to access its file system.

This malware package is designed to target systems running Windows NT and 2K.

TrendMicro is working to provide a more complete description of this malware.

For additional information about this threat, see:

Description created: Mar. 12, 2003 10:50:29 PM GMT -0800
Description updated: Aug. 24, 2004 12:00:00 AM GMT -0800


TECHNICAL DETAILS


Size of malware: Varies

Initial samples received on: Mar 13, 2003

Details:

This is Trend Micro�s detection for the batch file components of the IRC malware package IRC_SERVU.A. The malware package uses legitimate programs to perform its malicious tasks. The malware turns an infected machine into an FTP server, allowing a remote malicious user to access its file system.

File Components

BAT_SERVU.A is composed of the following files:

PASS.BAT, PASS1.BAT AND PASS2.BAT � batch files that create the configuration file for SERV-U FTP server (SERV-U.INI).

PASS3.BAT � used for restarting the Serv-U FTP server (RMTCFG.EXE).

FTP.BAT - batch file used to connect to the hacker�s FTP server to obtain updates for the malware.

NOBIOS.BAT � removes these shares: C$, ADMIN$, and IPC$.

TrendMicro is working to provide a more complete description of this malware.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 2.163.05

Pattern release date: Mar 13, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Scan your system with Trend Micro antivirus and delete all files detected as BAT_SERVU.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.