Re: Is winlogon.exe a virus and WinLogon.exe a windows utility?

From: "Pyramid 36" <Pyramid36@xxxxxxxxxxxxxxxxxxxxxxxxx>

| I've been seeing winlogon.exe running and was not sure what it was. I found
| an answer on www.liutilities.com that has me puzzled. The site describes a
| possible relationship between winlogn and WinLogon as follows:
|
| Process File: winlogon or winlogon.exe
| Process Name: Microsoft Windows Logon Process
|
| Description:
| WinLogon.exe is the Windows NT login manager. It handles the login and
| logout procedures on your system. This process is an essential part of your
| OS and should be left alone. Note: winlogon.exe is a process which is
| registered as the W32.Netsky.D@mm worm. This virus is distributed via the
| Internet through e-mail and comes in the form of an e-mail message, in the
| hopes that you open it?s hostile attachment. The worm has it?s own SMTP
| engine which means it gathers E-mails from your local computer and
| re-distributes itself. In worst cases this worm can allow attackers to access
| your computer, stealing passwords and personal data. It is a registered
| security risk and should be removed immediately. Please see additional
| details regarding this process"
|
| If I read the above correctly, it saying that a process called winlogon.exe
| without the caps found in WinLogon.exe is the virus.
|
| I'd like some clarification and/or verification of the above, if possible.
|
| Pyramid36

The file name WinLogon.exe is the same as winlogon.exe and the two can not exist in the same
folder. Windows treats filenames using uppercase and lowercase names the same (unlike
Unix). Therefore, for two files to be the same name and to be different, they *must* be in
different folders.

The legit version should be; %windir%\system32\WINLOGON.EXE
{ other copies/version may be in 'i386' or 'ServicePack' folders }

If you find WINLOGON.EXE in %windir% or some other folder such as
%WinDir%\MSAGENT\WIN32\WINLOGON.EXE then you shoukld be suspicious of it.!

The Netsky puts WINLOGON.EXE in the %windir% folder --
http://vil.nai.com/vil/content/v_101048.htm

So does the following...
PosX -- http://vil.nai.com/vil/content/v_100801.htm
StartPage-EK -- http://vil.nai.com/vil/content/v_127317.htm

The Sober worm puts WINLOGON.EXE in the folder %WinDir%\MSAGENT\WIN32
W32/Sober.l@MM -- http://vil.nai.com/vil/content/v_131869.htm


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.