sethc.exe Possible Backdoor
Critical Nessus Plugin ID 73026
SynopsisA possible backdoor exists on the remote host.
DescriptionThe copy of 'sethc.exe' in the Windows 'System32' directory on the remote host appears to have been modified, perhaps for use as a backdoor. Either or both of the 'InternalName' or 'OriginalFilename' file attributes no longer match the original file.
This file is part of the Windows 'Sticky Keys' functionality and is launched with SYSTEM privileges from a login screen when a Shift key is pressed several times. After replacing the original file with, for example, cmd.exe, an attacker with access to the host can bypass authentication and gain a command shell and, in turn, complete control of the host.
SolutionVerify the contents of the 'sethc.exe' file and, if appropriate, whether the system has been compromised.