Re: Possible trojaned wlogon.exe?

From: Paul Dokas (dokas@cs.umn.edu)
Date: 08/08/01 

Date: Wed, 8 Aug 2001 15:36:07 -0500
From: Paul Dokas <dokas@cs.umn.edu>
To: Jim Zajkowski <jim@jimz.net>
Subject: Re: Possible trojaned wlogon.exe?
Message-ID: <20010808153606.B368@caligula.cs.umn.edu>

On Tue, Jul 31, 2001 at 08:21:30PM -0400, Jim Zajkowski wrote:
> On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
> > Ive been keeping a close eye on the webserver and I just noticed that the
> > processor usage is really high. Since Ive been aware of it (about 2 hours)
> > the following process has been at or around 99% utilization:
> > PID 920 --- wlogin.exe
>
> We saw this on a Win2K machine, along with a process "w.exe". It appears
> to be a trojan.
>
> To remove it: find the WinLogin service in the registry and set its path back
> to point to "winlogon.exe". Reboot and you can delete wlogin and w.
>
> There's a bit more information at deja; I think we searched for "wlogin.exe."
>
> --Jim

I found a few Win2K machines with this beastie installed on them. It's
BO2K with a custom builtin plugin. If you've got the same one as I did,
wlogin.exe is acting as an IRC client, connected to an IRC server (typically
irc.icq.com) and sitting on a channel, waiting for commands.

The typical usage of this thing is to DDOS people.

Paul 

-- 
Paul Dokas                                            dokas@cs.umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

Relevant Pages

  • Trojan found...
    ... Whilst patching my webserver this morning I found the following files in the root directory of my webserver. ... Has anyone seen this trojan before? ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
    (Incidents)
  • Re: Trojan Horse
    ... An "IRC" trojan does exactly what it says on the tin, uses an IRC client to ... AVG may not be able ... > My antivirus software is up to date. ...
    (microsoft.public.win2000.security)
  • Re: Possible trojaned wlogon.exe?
    ... > Ive been keeping a close eye on the webserver and I just noticed that the ... > processor usage is really high. ... to be a trojan. ...
    (Incidents)
Loading