On Tue, Jul 31, 2001 at 08:21:30PM -0400, Jim Zajkowski wrote:
> On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
> > Ive been keeping a close eye on the webserver and I just noticed that the
> > processor usage is really high. Since Ive been aware of it (about 2 hours)
> > the following process has been at or around 99% utilization:
> > PID 920 --- wlogin.exe
>
> We saw this on a Win2K machine, along with a process "w.exe". It appears
> to be a trojan.
>
> To remove it: find the WinLogin service in the registry and set its path back
> to point to "winlogon.exe". Reboot and you can delete wlogin and w.
>
> There's a bit more information at deja; I think we searched for "wlogin.exe."
>
> --Jim
I found a few Win2K machines with this beastie installed on them. It's
BO2K with a custom builtin plugin. If you've got the same one as I did,
wlogin.exe is acting as an IRC client, connected to an IRC server (typically
irc.icq.com) and sitting on a channel, waiting for commands.
The typical usage of this thing is to DDOS people.
Paul
--
Paul Dokas dokas_at_cs.umn.edu
======================================================================
Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
- application/pgp-signature attachment: stored
Received on Aug 09 2001
Intro
