Re: Possible Trojan.

From: H Carvey (
Date: 10/28/03

  • Next message: Charles Otstot: "Re: MS Patches Management software: SUS vs 3rd party"
    Date: 28 Oct 2003 11:46:30 -0000
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <>

    Comments/questions inline:

    >Have a buddy complaining about his AOL account password being stolen every time he logs onto AOL from his PC at work.

    Did he happen to mention what it is that makes him think this? I ask, simply b/c I do some helpdesk work during my day-to-day activities and very often get really intelligent users who make certain assumptions that, well, are a little off base.

    > I talked him through doing an fport on his box and he sent me the results:

    Given the number of times svchost.exe appears, is this an XP box? I know that by default, the installation path for XP is "Windows", not "Winnt", but I have seen this modified during install by admins.

    >I'm really concerned with the last one:
    >228 winlogon -> 1053 UDP \??\C:\WINNT\system32\winlogon.exe

    That path is legit, for both XP and 2K. You might want to check out the file itself, w/ a 'dir'...on 2K, my file is about 178K in size, whereas on XP it's 430K. I'm guessing that when I get to work and take a look at my system, I might see a similar entry...none of my test boxes are in a domain.

    >I've found some things on the net that say it's legit, I've found others that say it's indicative of a backdoor.

    Do you have links to those sites? Remember, just b/c it's on the Internet doesn't mean it's true... ;-)

    > I ran fport on my box and did not have any entries like that. Does anyone have any information on this? Are there other entries that attract anyone else's attention?

    I don't see anything that really jumps out. I would suggest that you have your buddy get listdlls.exe from and run it, then send you the output. What you'll want to look at is the command line used to launch each process. You can also use tlist.exe from MS...but be sure to get the one that comes in the debugging tools, not the RK.

    Other thoughts...dump the contents of the ubiquitous "Run" keys. Also, you might consider getting a listing of the services and device drivers...I have a Perl script for this, but I don't think that this will be of use to you.

    Finally, go ask your buddy what makes him think that his AOL password is being stolen when he logs on...



    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -

  • Next message: Charles Otstot: "Re: MS Patches Management software: SUS vs 3rd party"