30 Aug 2000 20:47:06 -0000
From: 	[email protected]

          FakeGINA, the integrated Trojan
--------------------------------------------------------------------------------


DETAILS

FakeGINA intercepts the communication between Winlogon and the normal GINA 
(Windows NT authentication layer), and while doing this it captures all 
successful logins (domain, username, password) and writes them to a text 
file. 

How do I use this tool?
Download the zip file and extract the DLL. Copy it to the system32 
directory (on most systems c:\winnt\system32). Next start regedt32 and go 
to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon". Look for a value called "GinaDLL". If this 
value exists and contains something else than "msgina" or "msgina.dll", 
please do not continue the installation process. If the value doesn't 
exist, create "GinaDLL" as a "REG_SZ" and set it to "fakegina.dll". If it 
does exist and is "msgina" or "msgina.dll", then change it to 
"fakegina.dll". The next time the system is rebooted, FakeGINA will start 
to capture passwords into the text file "passlist.txt", which will be 
located in the system32 directory. 

I already have to be an Administrator to install FakeGINA, so what is it 
useful for? 
FakeGINA shows at least one very important thing - one should never use 
the same password on more than one system. If one system is compromised, 
the attacker might use something like FakeGINA to capture all the 
passwords, and then use them against other systems. 


ADDITIONAL INFORMATION

To download the tool, go here.

The tool has been provided by  Arne Vidstrom.



======================================== 
DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.