Trojan/Backdoor - EvilFTP Detection
High Nessus Network Monitor Plugin ID 1915
SynopsisThe remote host has a backdoor installed
DescriptionThe remote host is running EvilFTP. EvilFTP is a backdoor that sets up an FTP server on your machine.
SolutionTo remove this backdoor on Windows 95 and 98, delete the line "Run=C:\Windows\System\msrun.exe" from C:\Windows\Win.ini and delete the C:\Windows\System\msrun.exe file. To remove EvilFTP from a WindowsNT system, you will have to open RegEdit to the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows, and look for a value named "Run". If the data value is "C:\Winnt\System32\msrun.exe", delete the value, then delete the C:\Winnt\System32\msrun.exe file. Manually inspect and repair this system.