BleepingComputer.com: A Sheep In Wollfs Clothing?

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

A Sheep In Wollfs Clothing?

#1 User is offline   David H. 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 26-March 08

Posted 26 March 2008 - 05:38 AM

HI!! Nice to be here. I am a bit of a newbee, and this is my first post here - so please bear with me!

In a nutshell; I did a process scan and came up with a suspect process: wininit.exe, supposedly added to the system as a result of the WOLLF.16 virus. Then I checked Symantic, and they're talking about all these nasties! - Will allow unauthorized access to computer, is a keylogger, and the like! Then I came across someone saying that it's a normal part of windows vista, now I'm all confused :huh: .
So I started my process explorer (I do know enough to have one!) and checked out wininit.exe. I asked it to verify the process and this was the result:

Windows Start-Up Application
(Verified) Microsoft Windows
C:\Windows\system32\wininit.exe

Now don't tell me that muckrosoft named a vista app. after a known virus!! Even if they didn't I've nearly had it with microsoft anyhow, I should not have ventured back out of my little Ubuntu Linux world (I run a duel boot system), it was peaceful there. Maybe a full Linux install is in order...

#2 User is offline   DaChew 

  • Visiting Alien
  • PipPipPipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 10,313
  • Joined: 20-May 07
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 26 March 2008 - 05:46 AM

Quote

The file winnit.exe is associated with RBot infections and is found in this location C:\Windows\System32\winnit.exe (for XP and Vista).

Note the two names are very similar wininit.exe and winnit.exe This is no coincidence, Malware writers often choose file names which are very similar to the names of legitimate files in the hope that they will be overlooked.


from a malware expert
Chewy

No. Try not. Do... or do not. There is no try.

#3 User is offline   Juha 

  • Senior Member
  • PipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 512
  • Joined: 09-November 07
  • Gender:Male
  • Location:England

Posted 26 March 2008 - 06:04 AM

Just for more information:

>>> 'wininit.exe' (C:\Windows\System32\wininit.exe)- This is an undesirable program
BleepingComputer

>>> Microsoft TechNet

Another link: http://forums.majorgeeks.com/showthread.php?p=1128093

This post has been edited by Juha: 26 March 2008 - 06:08 AM

#4 User is offline   DaChew 

  • Visiting Alien
  • PipPipPipPipPipPip
  • Find Topics
  • Group: BC Advisor
  • Posts: 10,313
  • Joined: 20-May 07
  • Gender:Male
  • Location:millenium falcon and rockytop

Posted 26 March 2008 - 08:40 AM

from your link

For Vista wininet.exe is valid if in the system32 folder.
Chewy

No. Try not. Do... or do not. There is no try.

#5 User is offline   David H. 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 26-March 08

Posted 26 March 2008 - 09:46 AM

Now I am getting a clue. From just following up on the two replies so far I have deduced that wininit.exe in sys32 is not malware on Vista. There was a false positive due to apparent misinformation: http://www.bleepingcomputer.com/startups/w....exe-14276.html. This links to a vendor trying to sell/expose their software and of course is suspect in my book. Weather or not it used to be malware - like winnit.exe is -, well, I'll let others decide. I hope to hear more about this as it is proving to be a fascinating topic for me!
I'm glad I found this site!

Your geek-in-training
David

#6 User is offline   usasma 

  • Still visually handicapped, new avatar (a camel) :0)
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 16,689
  • Joined: 02-October 05
  • Gender:Male
  • Location:Southeastern CT, USA

Posted 27 March 2008 - 06:54 AM

In general, the wininit.exe file (exact spelling is important) that's located in the C:\Windows\System32 folder is legitimate. To verify this you can either run SFC.EXE /SCANNOW, or you can submit a copy to http://virusscan.jotti.org for analysis.

Malware writers have several options to fool you tho':
1) they can slightly misspell the name (such as winnit.exe)
2) they can put it elsewhere (such as in the C:\Windows directory)
3) they can replace your legitimate copy of wininit.exe with their bad copy (not very easy to do, but it is possible).
4) they can "hook" into the legitimatewininit.exe process and cause it to launch other malware (such as replacing explorer.exe with their own version).
5) and I'm sure there are other ways that I'm not familiar with.
- John
**If you need a more detailed explanation, please ask for it. I have the Knack. **

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users