1.install
installterm -install termsrv.exe "Windows Terminal Service" 3389
u can input the service name and the port by urself:)
must copy installterm.exe in the same dir with termsrv.exe

is install success,u can see:
Terminal Service Installer V1.0 By Meteor(Slackbot)

Set "Enabled" Successfully
Set "ShutdownWithoutLogon" Successfully
Set "EnableAdminTSRemote" Successfully
Set "TSEnabled" Successfully
Set "Start" Successfully
Set "Hotkey" Successfully
Install Service "Windows Terminal Service" Succesully
Set "PortNumber" Successfully


2.reboot
installterm -reboot
ull see "Reboot Is Taking Plac

sry FR my bad English

that's awesome! thanks for sharing the info
-edit
is it possible to mae it run on any win2k not only in servers ?

thx for this one

gonna test it

hmmm detect by av , not in install but at just the download so maybe usefull at all

Would you mind sharing source code too? So we can make it undetected...

Also, I see that you can modify custom port... But whe I try to connect to some TS computer, I don't see option to enter port in my Remote Desktop??? So how to specify port then???

Backdoor.Slackbot.B is a backdoor Trojan horse that allows a hacker to control your computer using Internet Relay Chat (IRC). Backdoor.Slackbot.B can update itself by checking for newer versions over the Internet.

nasty one

I found another Worm in the file...

Seams that some people flood Government with Virus and other nasty code...

C'ya

---> Virus Profile

Virus Information
Name: BAT/Mumu.worm
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 6/2/2003
Date Added: 6/2/2003
Origin: China
Length: Varies
Type: Virus
SubType: Worm


Avert has received a handful of field reports of this worm. Files submitted suggest that there may be many more versions of this worm to come. The file names and paths represented here are easily changed, and samples received already deviate from those mentioned. It is also foreseeable that other applications and malware may be thrown in to these scripts and future infections may vary in functionality. This description is meant as a guide.
This worm uses a set of batch files, a few utility programs, and a trojan to spread. It simply copies a set of many different files to target systems, and remotely executes a batch file on that system to spread further. The worm scans for IP addresses to infect, then copies over the various files, and runs again. It does not contain a damaging payload. The worm intends to capture typed keystrokes and send email to a configured address. However, some samples received by AVERT have a key program (PCGhost) replaced with the (nView Desktop Manager). The worm can continue to propagate, spreading this innocent file along the way. PCGhost is a "Potentially Unwanted Program" that monitors system usage, including typed keystrokes, logs this information to a file, and can send the information to a defined email address.

The following files are associated with this worm. 10.BAT Runs HFind.exe, calls other BAT files
hack.bat Attempts to copy all other files to remote share (admin$\system32) and remotely execute START.BAT
HFind.exe IPCScan trojan
ipc.bat Loops through IP list and calls HACK.BAT
IPCPass.txt Temp file
MUMA.BAT Creates log file and runs NWIZ.EXE
NEAR.BAT Creates temp file and calls 10.bat
NWIZe.EXE NVidia Desktop Manager application [Some samples contain the PCGhost application]
NWIZe.INI NWIZe.exe config file
NWIZe.IN_ NWIZe.exe config file
pcMsg.dll PCGhost application file
PSEXEC.EXE Remote Process Launch application
RANDOM.BAT Creates random numbers, used for IP addresses to ping
rep.EXE String replace application
replace.bat Calls rep.exe with parameters
START.BAT Main program that calls other BAT files
tihuan.txt Work file