Trojan/Backdoor - EvilFTP Detection

High Nessus Network Monitor Plugin ID 1915


The remote host has a backdoor installed


The remote host is running EvilFTP. EvilFTP is a backdoor that sets up an FTP server on your machine.


To remove this backdoor on Windows 95 and 98, delete the line "Run=C:\Windows\System\msrun.exe" from C:\Windows\Win.ini and delete the C:\Windows\System\msrun.exe file. To remove EvilFTP from a WindowsNT system, you will have to open RegEdit to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, and look for a value named "Run". If the data value is "C:\Winnt\System32\msrun.exe", delete the value, then delete the C:\Winnt\System32\msrun.exe file. Manually inspect and repair this system.

Plugin Details

Severity: High

ID: 1915

File Name: 1915.prm

Family: Backdoors

Published: 2004/08/20

Modified: 2016/11/23

Risk Information

Risk Factor: High