Security Incidents mailing list archives
Re: Possible trojaned wlogon.exe?
From: Paul Dokas <dokas () cs umn edu>
Date: Wed, 8 Aug 2001 15:36:07 -0500
On Tue, Jul 31, 2001 at 08:21:30PM -0400, Jim Zajkowski wrote:
On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:Ive been keeping a close eye on the webserver and I just noticed that the processor usage is really high. Since Ive been aware of it (about 2 hours) the following process has been at or around 99% utilization: PID 920 --- wlogin.exeWe saw this on a Win2K machine, along with a process "w.exe". It appears to be a trojan. To remove it: find the WinLogin service in the registry and set its path back to point to "winlogon.exe". Reboot and you can delete wlogin and w. There's a bit more information at deja; I think we searched for "wlogin.exe." --Jim
I found a few Win2K machines with this beastie installed on them. It's BO2K with a custom builtin plugin. If you've got the same one as I did, wlogin.exe is acting as an IRC client, connected to an IRC server (typically irc.icq.com) and sitting on a channel, waiting for commands. The typical usage of this thing is to DDOS people. Paul -- Paul Dokas dokas () cs umn edu ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
Attachment:
_bin
Description:
Current thread:
- Re: Possible trojaned wlogon.exe? Jim Zajkowski (Jul 31)
- Re: Possible trojaned wlogon.exe? Paul Dokas (Aug 09)