Re: Possible trojaned wlogon.exe?

From: Jim Zajkowski (jimat_private)
Date: Tue Jul 31 2001 - 17:21:30 PDT

Next message: Jim Forster: "Re: CRv3? Or some other ida type"

Previous message: Cisco Systems Product Security Incident Response Team: "UPDATED: Cisco Security Advisory: "Code Red" Worm - Customer Impact"
In reply to: Thompson, John J: "Possible trojaned wlogon.exe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote:
> Ive been keeping a close eye on the webserver and I just noticed that the
> processor usage is really high. Since Ive been aware of it (about 2 hours)
> the following process has been at or around 99% utilization:
> PID 920 --- wlogin.exe

We saw this on a Win2K machine, along with a process "w.exe".  It appears 
to be a trojan.

To remove it: find the WinLogin service in the registry and set its path back 
to point to "winlogon.exe".  Reboot and you can delete wlogin and w.  

There's a bit more information at deja; I think we searched for "wlogin.exe."

--Jim

-- 
Jim Zajkowski
System Administrator               http://www.jimz.net/pgp-pubkey.asc
ITCS Contract Services     8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53

application/pgp-signature attachment: stored

Next message: Jim Forster: "Re: CRv3? Or some other ida type"
Previous message: Cisco Systems Product Security Incident Response Team: "UPDATED: Cisco Security Advisory: "Code Red" Worm - Customer Impact"
In reply to: Thompson, John J: "Possible trojaned wlogon.exe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 18:27:09 PDT