Trojan/Backdoor - EvilFTP Detection

high Nessus Network Monitor Plugin ID 1915

Synopsis

The remote host has a backdoor installed

Description

The remote host is running EvilFTP. EvilFTP is a backdoor that sets up an FTP server on your machine.

Solution

To remove this backdoor on Windows 95 and 98, delete the line "Run=C:\Windows\System\msrun.exe" from C:\Windows\Win.ini and delete the C:\Windows\System\msrun.exe file. To remove EvilFTP from a WindowsNT system, you will have to open RegEdit to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, and look for a value named "Run". If the data value is "C:\Winnt\System32\msrun.exe", delete the value, then delete the C:\Winnt\System32\msrun.exe file. Manually inspect and repair this system.

Plugin Details

Severity: High

ID: 1915

Family: Backdoors

Published: 8/20/2004

Updated: 11/23/2016