Security Incidents: W2K Compromise - PipeCmdSrv

[Philip <spam () cnbcasia com>]

We had an Internet connected W2K computer compromised. I have
found the files used to compromise it and wonder if they are
part of a standard compromise/exploit.

The first file installed during the compromise was an executable
called PipeCmdSrv.exe in the folder WINNT/System32. This looks
like a service executable which pipes input from a named pipe to
cmd.exe (it was installed in the registry at LEGACY_PIPECMDSRV 
in the CurrentControlSet\Enum\Root key).

Then a copy of WinVNC was installed in a new hidden folder called
"truetype" in the WINNT/Fonts folder. WinVNC was installed as a 
Service called "systask" and was also in the Run key. (It had a
blank icon, and thus wasn't visible in the System Tray).

After VNC was installed, mIRC, iroffer and Serv-U FTP were also
installed in quick succession - about 15 minutes.

I cannot find any information about PipeCmdSrv.exe (I have a copy
of it for inspection) but it seems to have been the first thing
which was installed - how was it installed?

Unfortunately the computer was not secure (installed by a vendor),
had an easily guessable password, and had all the default settings
of W2K SP2 (C$ share and remote access to the registry). 

Has anyone seen PipeCmdSrv before and is it installed as part of
a known compromise?

Thanks,

Tim Philip.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com