Security Basics mailing list archives

RE: Possible Trojan.

From: "Bob Beck" <goodfela26 () finneganfamily net>
Date: Mon, 27 Oct 2003 15:55:17 -0500

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q263201&;

winlogon.exe is a basic windows service in win2k and it runs from the
system32 folder.

If it was running from anywhere else, then I've read that it would probably
be a porn dialer.

Heh, I noticed your email address also...Go Flyers! :)

-----Original Message-----
From: Gene [mailto:flyersfanindc () yahoo com]
Sent: Monday, October 27, 2003 2:43 PM
To: security-basics () securityfocus com
Subject: Possible Trojan.




Have a buddy complaining about his AOL account password being stolen every
time he logs onto AOL from his PC at work.  I talked him through doing an
fport on his box and he sent me the results:   Pid   Process            Port
Proto Path 8     System         ->  1097  TCP 8     System         ->  139
TCP 8     System         ->  445   TCP 1916  aolwbspd       ->  11523 TCP
C:\Program Files\America Online 9.0\aolwbsp d.exe 676   OUTLOOK        ->
1125  TCP   C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676
OUTLOOK        ->  1129  TCP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE 856   MSTask         ->  1051  TCP
C:\WINNT\system32\MSTask.exe 988   svchost        ->  1132  TCP
C:\WINNT\system32\svchost.exe 988   svchost        ->  1134  TCP
C:\WINNT\system32\svchost.exe 988   svchost        ->  1139  TCP
C:\WINNT\system32\svchost.exe 452   svchost        ->  135   TCP
C:\WINNT\system32\svchost.exe   8     System         ->  137   UDP 8
System         ->  138   UDP 8     System         ->  445   UDP 1820
      ->  1849  UDP   C:\Program Files\America Online 9.0\waol.ex e 1688
IEXPLORE       ->  1191  UDP   C:\Program Files\Internet Explorer\IEXPLORE
.EXE 1856  IEXPLORE       ->  1784  UDP   C:\Program Files\Internet
Explorer\IEXPLORE .EXE 676   OUTLOOK        ->  1126  UDP   C:\Program
Files\Microsoft Office\Office10\ OUTLOOK.EXE 676   OUTLOOK        ->  1127
UDP   C:\Program Files\Microsoft Office\Office10\ OUTLOOK.EXE 676
OK        ->  1182  UDP   C:\Program Files\Microsoft Office\Office10\
OUTLOOK.EXE 800   rtvscan        ->  2967  UDP   C:\Program
Files\NavNT\rtvscan.exe 268   lsass          ->  500   UDP
C:\WINNT\system32\lsass.exe 228   winlogon       ->  1053  UDP
\??\C:\WINNT\system32\winlogon.exe   I'm really concerned with the last one:
228   winlogon       ->  1053  UDP   \??\C:\WINNT\system32\winlogon.exe
I've found some things on the net that say it's legit, I've found others
that say it's indicative of a backdoor.  I ran fport on my box and did not
have any entries like that.  Does anyone have any information on this?  Are
there other entries that attract anyone else's attention?  Your help is
appreciated.

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

Possible Trojan. Gene (Oct 27)
- RE: Possible Trojan. Bob Beck (Oct 27)
- Re: Possible Trojan. Charles Funderburk (Oct 27)
- <Possible follow-ups>
- Re: Possible Trojan. H Carvey (Oct 28)
  - Re: Possible Trojan. John T. Hoffoss (Oct 29)
    - Interesting sniffer packet JGrimshaw (Oct 30)