Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Possible trojaned wlogon.exe?

Re: Possible trojaned wlogon.exe?

From: Jim Zajkowski <jim_at_jimz.net>
Date: Tue, 31 Jul 2001 20:21:30 -0400

On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
> Ive been keeping a close eye on the webserver and I just noticed that the
> processor usage is really high. Since Ive been aware of it (about 2 hours)
> the following process has been at or around 99% utilization:
> PID 920 --- wlogin.exe

We saw this on a Win2K machine, along with a process "w.exe". It appears
to be a trojan.

To remove it: find the WinLogin service in the registry and set its path back
to point to "winlogon.exe". Reboot and you can delete wlogin and w.

There's a bit more information at deja; I think we searched for "wlogin.exe."

--Jim 

-- 
Jim Zajkowski
System Administrator               http://www.jimz.net/pgp-pubkey.asc
ITCS Contract Services     8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53

  • application/pgp-signature attachment: stored
Received on Aug 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos