On Tue, Jul 31, 2001 at 08:21:30PM -0400, Jim Zajkowski wrote: > On Tue, Jul 31, 2001 at 01:09:22PM -0500, Thompson, John J wrote: > > Ive been keeping a close eye on the webserver and I just noticed that the > > processor usage is really high. Since Ive been aware of it (about 2 hours) > > the following process has been at or around 99% utilization: > > PID 920 --- wlogin.exe > > We saw this on a Win2K machine, along with a process "w.exe". It appears > to be a trojan. > > To remove it: find the WinLogin service in the registry and set its path back > to point to "winlogon.exe". Reboot and you can delete wlogin and w. > > There's a bit more information at deja; I think we searched for "wlogin.exe." > > --Jim I found a few Win2K machines with this beastie installed on them. It's BO2K with a custom builtin plugin. If you've got the same one as I did, wlogin.exe is acting as an IRC client, connected to an IRC server (typically irc.icq.com) and sitting on a channel, waiting for commands. The typical usage of this thing is to DDOS people. Paul -- Paul Dokas dokasat_private ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla."
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 16:07:43 PDT