Asset Management Suite

 View Only
Back to discussions
Expand all | Collapse all

Looking to block loginw.exe (part of Altiris Deployment Suite) found as part of some malicious code found on on of our computers

  • 1.  Looking to block loginw.exe (part of Altiris Deployment Suite) found as part of some malicious code found on on of our computers

    Posted Jul 08, 2019 12:02 PM

    We found an application which was somewhat difficult to decode/reverse engineer but we were able to reverse engineer some comments. 
     

      *.pwl   help             loginw version 2.2.2

    Copyright © 2005-2007 Altiris, Inc. All Rights Reserved.

     

    Usage: loginw has 4 modes: Authenticate mode, Ping mode, IP mode, Generate mode

     

    Authenticate mode (authenticate network connection):

            loginw [-f "pwlFile[;...]"] -c "computer[;...]" -d "domain" [-t seconds] [-e [all]] [-u] [-r] [-v]

    -f pwlFile[;pwlFile2;...] = filename(s) of password file(s)

    -c computer[:pwlFile][;computer2[:pwlFile2];...] = computer(s) (or ip address) to connect to

    -d domain = name of domain to connect to

    -t seconds = number of seconds to try to authenticate (%d sec)

    -e [all | any] = all: process all then return (default) | any: return immediately if any fails

    -u = prompt for username and password on connect failure

    -r = reconnect existing connections

    returns 0 on success

    returns windows system error code on failure

     

    Ping mode (test for valid IP address):

            loginw -p [-192.168;172 | +172;10.12.131.17] [-w seconds] [-e any] [-a "file"] [-i] [-v]

    -p = test local IP address

    -nnn;nnn... = test with exclude list (eg. -169;192.168)

    +nnn;nnn... = test with include list (eg. +192.168;169;172.16.100.100)

    -w seconds = number of seconds to try to test (%d sec)

    -e [all | any] = all: process all then return | any: return immediately if any fails (default)

    -a [file] = write adapter list to file; if file is empty write to screen

    -i = return ip (32 bit signed value) on success, 0 on failure

    returns 0 on success

    returns 1 if no ip address could be bound to an existing adapter

    returns 2 if no adapters were found

     

    IP mode (return IP address):

            loginw -i [-w seconds] [-a "file"]

    -i = return IP address

    -w seconds = number of seconds to try to get address (%d sec)

    -a [file] = write adapter list to file; if file is empty write to screen

    returns the ip address (32 bit signed value) on success

    returns 1 if no ip address could be bound to an existing adapter

    returns 2 if no adapters were found

     

    Generate password file mode:

            loginw -g "username:password" [-f "pwlFile"]

    -g username:password = username and password

    -f pwlFile = file to generate; if missing use username as filename

    returns 0 on success

    returns 1 on invalid or missing username

    returns 2 on error

     

    All modes:

    -v = verbose mode (show message boxes on failure)

     

    This code goes along with the .bat file that was trying to use these commands to push a .pwl file (found on the same machine) to a server on our network. I tried to be a bit cryptic on my last post saying "what would we need to unblock on a firewall to make loginw.exe work" but it seems that that .exe uses basic ports that wouldn't be possible to block on most networks without disrupting all other services. Is there a way to block this that any of you may know of?