[Dshield] Wlogin.exe followup... New bo deployment method?

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Wed Aug 1 14:01:52 GMT 2001


This is for those of you who may be interested in a potentially new method
of BO deployment/execution...

I had wlogin.exe running at 99% utilization...

Several people suggested that it may be backoriface. If it  were, there
would be a wlogin.exe file running as a service and a w.exe file in
root\java. 
http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%
3D75%2 6mid%3D196436
This is the case. Im currently looking for a way to remove it. 

Of course, Im not sure when this got on my server. We have had the black ice
defender workstation version on this server since it was built, and server
agent  on for the past 6 days or so. It seems like black ice should have
detected this... NAV 2001 didn't either (not even after clean install.)

I downloaded the bo client, and tried to connect and it was detected by
black ice  and I was unable to connect... The traffic seems to be coming
from my server  through netstat as SYN_SENT for about 10sec. As soon as
black ice and IRIS (packet  sniffer) loads, the connection changes to
CLOSE_WAIT. This may be a new method for  bo usage? This seems odd... So Im
going to try to figure more out. It may have  been in conjunction with code
red, but that's a speculation at this point.  Since  its not sending out any
net traffic, Im going to leave it running on the server to do forensics.

Did search for wlogin.exe in registry. Found it:

hkey_cur_user\software\microsoft\internet explorer\explorer
bars\{c4ee...\FilesNamedMRU\000 of type REG_SZ with data"wlogin.exe"

hklm\system\controlset001\services\winlogin\imagepath of type REG_EXPAND_SZ
data"C:\winnt\system32\wlogin.exe"

hklm\system\controlset002\services\winlogin\imagepath of type REG_EXPAND_SZ
data"C:\winnt\system32\wlogin.exe"

hklm\system\currentcontrolset\services\winlogin\imagepath of type
REG_EXPAND_SZ  data"C:\winnt\system32\wlogin.exe"

hkey_users\<SID>\Software\Microsoft\InternetExplorer\Explorer
Bars\{c4ee..\Filesnamedmru\000 of type REG_SZ with data"wlogin.exe"

Not where I thought it would be...

Additionally, there may be an irc bot running, but Im waiting to hear how to
find and deal with that. I noticed a lot of irc related traffic in my iis
logs.




------------------------------------
John Thompson
Network Administrator
Dept. of Biochemistry
University of Iowa




More information about the list mailing list