Re: Possible trojaned wlogon.exe?

[Paul Dokas <dokas () cs umn edu>]

On Tue, Jul 31, 2001 at 08:21:30PM -0400, Jim Zajkowski wrote:
> On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
> > Ive been keeping a close eye on the webserver and I just noticed that the
> > processor usage is really high. Since Ive been aware of it (about 2 hours)
> > the following process has been at or around 99% utilization:
> > PID 920 --- wlogin.exe
>
> We saw this on a Win2K machine, along with a process "w.exe".  It appears 
> to be a trojan.
>
> To remove it: find the WinLogin service in the registry and set its path back 
> to point to "winlogon.exe".  Reboot and you can delete wlogin and w.  
>
> There's a bit more information at deja; I think we searched for "wlogin.exe."
>
> --Jim

I found a few Win2K machines with this beastie installed on them.  It's
BO2K with a custom builtin plugin.  If you've got the same one as I did,
wlogin.exe is acting as an IRC client, connected to an IRC server (typically
irc.icq.com) and sitting on a channel, waiting for commands.

The typical usage of this thing is to DDOS people.


Paul
-- 
Paul Dokas                                            dokas () cs umn edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

Attachment: _bin
Description: