InCommand (1.6 beta 6)
Server name: InCommand
Version: 1.6 beta 6
Different versions:  [1.0][1.1][1.2][1.3][1.4][1.5][1.53][1.6 beta 2][1.6 beta 6]
Tested: Yes, on Windows 95 and Windows NT
Server size: 332K
Server files: server.exe
Server icon:

Infects: Windows 95/98/ME
Autloads: Win.ini: run=server16.exe under [windows]
Default port: 9400 TCP
Can port be changed: Yes

Server Features

  • Alt Tab off
  • Caps lock on/off
  • Change IE startpage
  • Change IE titlebar
  • Change registered user name
  • Change windows colors
  • Chat
  • Disable/Enable Ctrl-Alt-Del
  • Flash keyboard lights
  • FTP on/off
  • Get ICQ passwords
  • Get info
  • Get passwords entered by user 
  • Get time
  • Log off, power off, reboot or shutdown windows
  • Monitor on/off
  • Open browser
  • Open/Close Cd-Rom
  • Play songs on PC speakers
  • Play sound
  • Popup message
  • Send message
  • Set wallpaper
  • Show FBI lockout screen
  • Show/Hide cursor
  • Show/Hide desktop
  • Show/Hide Start bar 
  • Show/Hide Start button
  • Show picture
  • Upload, run file
  • View/Close running applications
  • View/change resolution
  • View from webcam

 
Comments 
InCommand 1.6 beta 6 was released to fix the ICQ notification. ICQ blocked messages sent from InCommand, but this version avoids ICQ's blocking. InCommand has an edit server program. Besides setting an ICQ UIN for notification when your computer comes online, now the server icon and server file name can be changed. This point means that InCommand 1.6 beta 6 can use any name, not just server16.exe, when it infects. The edit server also can choose between one of three methods of infection the InCommand server will use once it is run. However, we found this choice of infection does not work; it would only use the win.ini to auto load. Also note that the edit server can increase the size of the server and/or bind it to another file. 

Note: This is a trojan that can be submitted to us for analysis.
We can possibly determine for you the password that was used and
the ICQ UIN that was being notified. For more information on submitting trojan files to us read here

How To Remove 
Quick fix: no quick fix programs
Manual removal:

  1. Change the run=server16.exe to run= in the win.ini located under [windows]. Which can be done with any text editing program. 
  2. Reboot the computer or close the server16.exe
  3. Delete the server16.exe that is located in the Windows directory.

 
Related 
Article: General removal info
Section: Test your knowledge, take our Trojan Quiz
Service: Trojan removal
Service: Tell a friend about this trojan
Service: Print this page
 
 
Copyright © 2000 and 2001, Dark Eclipse Software. All rights reserved. 
This page may not be redistributed or reproduced in any manner without specific written permission from Dark Eclipse Software. If permission to use this page is desired then contact Dark Eclipse Software. While we consider the content of this page to be accurate, we cannot guarantee either the accuracy or the appropriateness of any portion of the page, including our analysis and manual removal. 
Any actions taken by a reader in response to this or any other Dark Eclipse Software page are completely and solely their responsibility.