11 May 2007 13:26 GMT
Logon to malware
The beginning:
“Once upon a time, a week ago,”
“There began a tale of woe.”
“A multi-component Trojan, clever as can be,”
“Winlogon was its target, as we shall see.”
The Trojan:
“Winlogon, Winlogon, where art thou?”
“I want you to run my DLL now.”
“You may run, you may hide,”
“Once infected, my command you shall abide.”
The infected user:
“Winlogon is connecting to Estonia, I see,”
“Infected Winlogon? Could it be?”
“Oh, to have a computer free of pain,”
“If only I could login with confidence again.”
SophosLabs:
“An infected Winlogon you say?”
“Don’t worry, we can make the problem go away.”
“Let’s write disinfection quick, quick quick,”
“Then SAV6 and a reboot will do the trick.”
The end:
“And so ended a tale of woe,”
“Troj/WLHack-A and Troj/WLHack-C no more.”
“No doubt further variants we shall find,”
“Not yet can we have peace of mind.”
SKM, SophosLabs UK
