[unisog] Re: Port 109 Mystery

Buck Buchanan lbuchana at csc.com
Thu Mar 13 14:01:20 GMT 2003


Hi,

Loki <loki at fatelabs.com> writes:

>This may have been something you tried, but looking at that path, it
>looks like fport doesnt know how to interpret the initial dir name. Is
>it an ascii char space ALT-255, etc? Alt-255 directories will not show
>up at all in windows. It looks like someone either copied winlogin.exe
>to another dir and bound it to port 109, or its not winlogin at all, and
>rather, a trojan thats been renamed to winlogin to fool the admin.
...
>>On Wed, 2003-03-12 at 11:54, Douglas Brown wrote:
...
>> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

According to "Developing Windows NT Device Drivers - A Programmer's
Handbook", by Dekker and Newcomer: \??\  is "the directory of all named
devices available for CreateFile".  When a program tries to open C:
\WINNT\system32\winlogon.exe, "C:" is translated to "\??\C:" by the Win32
subsystem.

Since fport normally does not display the "\??\" prefix, I am wondering if
this might be a clue to how winlogon.exe was run.

B Cing U

Buck





More information about the unisog mailing list