Security Incidents mailing list archives

Re: Possible trojaned wlogon.exe?

From: Jim Zajkowski <jim () jimz net>
Date: Tue, 31 Jul 2001 20:21:30 -0400

On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:

Ive been keeping a close eye on the webserver and I just noticed that the
processor usage is really high. Since Ive been aware of it (about 2 hours)
the following process has been at or around 99% utilization:
PID 920 --- wlogin.exe


We saw this on a Win2K machine, along with a process "w.exe".  It appears 
to be a trojan.

To remove it: find the WinLogin service in the registry and set its path back 
to point to "winlogon.exe".  Reboot and you can delete wlogin and w.  

There's a bit more information at deja; I think we searched for "wlogin.exe."

--Jim

-- 
Jim Zajkowski
System Administrator               http://www.jimz.net/pgp-pubkey.asc
ITCS Contract Services     8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53

Attachment: _bin
Description:

Current thread:

Re: Possible trojaned wlogon.exe? Jim Zajkowski (Jul 31)
- Re: Possible trojaned wlogon.exe? Paul Dokas (Aug 09)