Wminow.dll Trojan Cleaning Method

Today, many so-called hackers cannot talk about any bad character. As long as there is a little benefit, they will immediately jump up like a fly seeing a shit.
Recently, after half a year of hard work, the website has finally gained some improvement. The thieves who work at night have arrived. Trojans and viruses.
Check the server and find that there is a Winlogon directory under the C: Documents and SettingsAll UsersDocumentsMy Music directory.
Install. bat
On. reg
Wminoworkflow. dll
Uninstall. bat
Readme.txt
Open install. bat and on. reg to view the following files:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows ntcurrentversionwinlogonpolicywmino #
Readme.txt makes it clear that this is a trojan that records the administrator password. As long as the Administrator logs on to 3389, the password will be recorded.
Since we have already said this clearly, it is easy to uninstall it. You can directly execute uninstall. bat. If you are not at ease, you can manually clear it:
Delete file c: windowssystem32wminow.dll
Delete startup project:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows ntcurrentversionwinlogonpolicywmino #
Do not forget to delete or rename the winlogon directory.

Baidu: It turns out that this is a winlogonhack Trojan. The following is the original article:

System Password Acquisition Tool-winlogonhack

I. Remote Terminal password Leakage Analysis

1. The latest Remote Terminal Technology APP
For large enterprises, remote terminals are generally deployed. Microsoft's latest Server operating system Windows 2008 Server focuses on remote terminals. The remote APP of the Terminal Server is a new remote application demonstration method in Windows Server 2008. Some remote connection parameters have been adjusted and some new features have been added. It is said that the performance has also been greatly improved!

2. Remote Terminal password Leakage Analysis
In large networks, due to the complex network environment, servers are often maintained and managed through remote terminals. Such management is not fixed in the direction and is mostly divergent. Some may be using one host to log on to multiple hosts, or some may be using multiple hosts to log on to the same host, or they may be chaotic and cross-login. After hackers intrude into a host on the network, you will surely find a way to collect the names and passwords of Remote Terminal logon users inside the network or between independent external hosts. There are three collection methods:

(1) use tools such as GetHashes and Pwdump to obtain the Hash password value of the system, and then use LC5 and the rainbow table to crack the password, these passwords are most likely the passwords of remote terminals.

(2) install the keyboard record on the controlled computer and use the keyboard record to obtain the user name and password that the user entered when logging on to the 3389 remote terminal. This method has certain limitations. When the key record is maximized in the remote terminal window, the remote terminal login password may not be recorded.

(3) Use the WinlogonHacK tool to intercept the correct password entered during Remote logon. This is also the focus of this article. Of course, in addition to the above three methods, there are some other ways of leakage.

Ii. How does WinlogonHack intercept passwords?

1. Gina. dll and Msgina. dll
The interactive login support of Gina. dll in NT/2000 is implemented by WinLogon calling Gina. dll. Gina. dll provides an interactive interface to provide authentication requests for user login. WinLogon interacts with Gina. dll. The default value is msgina. DLL (in the System32 directory ). Microsoft also provides an interface for us. We can compile Gina. dll to replace Msgina. dll.

I don't know why, Microsoft's Gina. dll does not appear in Windows XP and later versions. The original Gina. change dll to Msgina. dll (ms is added to indicate that it is Microsoft, hey !). Msgina. in Windows XP, the default dll size is 967,680 bytes (945 K). In Windows 2003, its size is 1,180,672 bytes (1153 K). If it is not the size, it is estimated that there is a problem.

2. the Msgina. dll file is damaged and modified, causing serious errors.
In the DLL knowledge base (http://www.dofile.com/dlllibrary/msgina/), it is described as follows: msgina. dll is a Windows logon authentication policy module used to complete all user login and verification functions. If the file in the system is modified or damaged, the system cannot use 3389 for logon, 1, the Msgina of this system. the dll file is damaged, and the user cannot remotely log on to the 3389 Terminal Server.

3. How WinlogonHack intercepts passwords
WinlogonHack record the Logon account password through the WlxLoggedOutSAS function of msgina. dll in the system! Three desktops will be created during WinLogon initialization:

(1) Winlogon desktop: displays Windows security and other interfaces, such as pressing CTRL + ALT + DEL to quickly view the login interface.
(2) Application desktop: The interface we usually see on my computer.
(3) Screen Saver desktop: Screen Saver display interface.

By default, Gina. dll or Msgina. dll displays the logon dialog box. You can enter the user name and password. To obtain the user name and password, you can write a new Gina. DLL or Msgina. dll. The function that provides an interface to call msgina. dll is WlxLoggedOutSAS. Start with the winlogon notification package. When there is 3389, it is connected to the server. The newly created winlogon.exe will be loaded before login, registered "Startup" dll, Hook function, login successful, record the password to the boot. dat file, and cancel the Hook. After exiting 3389, the dll file can be deleted. In implementation, as long as the first five bytes of the WlxLoggedOutSAS function in msgina. dll are:
Mov edi, edi
Push ebp
Mov ebp, esp

3. Use WinlogonHack to obtain the password instance

Before WinlogonHack, a Gina Trojan is used to intercept passwords in Windows 2000. WinlogonHack is mainly used to intercept Windows XP and Windows 2003 Server.

1. Run the install. bat installation script.
One way is to install the WinlogonHack installer file Hookmsgina. dll, install. bat, On. reg and ReadLog. copy bat to the same folder and run install directly at the Dos prompt or GUI. bat. After the execution is complete, you do not need to restart. When 3389 is mounted, the DLL is automatically loaded and the logon password is logged! The boot file is saved in the system32 directory of the system. in the dat file, another method is to put all the files in the same folder, and then execute the install Command, as shown in 2, indicating that the installation is correct.

2. view password records
You can directly open the boot. dat file, or run the "ReadLog. bat" script to move the password file to the current directory. In this example, the operating system is Windows 2003 Server. You can directly use Radmin telnet and then run "dir boot. run the "dat/a" command to check whether someone has logged on remotely, as shown in 3. the dat size is 5762 bytes! Use "type boot. dat" to view the logged Logon Time, user, domain name, password, and old password. Two passwords are used to record the user's password changes.

3. Uninstall WinlogonHack
Run "Uninstall. bat" to automatically Uninstall the program. If the "% systemroot % system32wminow.dll" file cannot be deleted, restart the file and delete it!

Iv. Attack and prevention methods

1. attack methods
(1) customized development
WinlogonHack code is open-source, so intruders can customize it, that is, in "lstrcat (LogPath," \ boot. dat ");" in the code, boot. replace dat with another file. After running Winlogonhack, it is hard to find out. Intruders can also add an email sending function to send the recorded 3389 remote terminal user name and password to the specified mailbox, in the process of security reinforcement, the author has encountered a 3389 password interception trojan software with this function.

(2) Eliminate WinlogonHack Software
As the WinlogonHack tool plays an important auxiliary role in network intrusion, some powerful anti-virus software will automatically kill wminotify. dll file, as shown in 4, my avast during the test! Anti-virus software can be detected and processed as viruses. Therefore, you can modify the wminow.dll file by adding instructions and modifying the signature so that it can bypass anti-virus software.

(3) Application of WinlogonHack in attacks
The WinlogonHack tool is mainly used to intercept the 3389 logon password. Therefore, after running mstsc on the compromised computer, if multiple logon IP addresses are listed in the address bar of the mstsc computer, as shown in figure 5, therefore, it is necessary to install the WinlogonHack software on the computer. It is used to record the 3389 user name and password logged on by the Administrator on the server.

2. Preventive Methods
(1) In the system directory, find "wminoworkflow. dll file. If this file is found, it indicates that the Winlogonhack tool is installed in the system. You can log on to a 3389 terminal to test whether boot exists in the system directory. dat file. If yes, you can try to use "Uninstall. bat "Batch Processing to uninstall it. If it cannot be uninstalled, You can restart it and uninstall it again.

(2) Go to the Registry's key value "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows ntcurrentversionwinlogonpolicywmino.pdf" to view it. If yes, delete it.

(3) It is difficult to eradicate the customized WinlogonHack. A good solution is to back up the file name list in the secure state of the system, in the future, the system checks the differences and differences between the file lists in the current state of the system.

(4) If you use the 3389 remote terminal to log on to multiple servers for management, it is best to clear the 3389 logon address list in time after the management is completed.

(5) regular anti-virus, anti-virus software can guard against some known viruses to a certain extent. Therefore, the anti-virus software is diligent in virus detection and log reading. After confirming that the system is intruded, be sure to carefully and thoroughly perform security checks on one side of the system.

The ESET installed on my server can still be killed. It seems that it is necessary to install anti-virus software on the server.