Event ID - 1081

Port No1081
Service NameWINGATE
RFC Doc0
ProtocolTCP
DescriptionThis Windows executable serves as a backdoor program. Using this malware, a remote user can configure a target machine so that it is shared with full access. The following can then be done remotely on the compromised machine:
Execute any program
Get data or files, including password files and address books
Delete important files or data
Reference LinkWINGATE
AttackDetails:

This backdoor malware is a Portable Executable (PE) program that usually arrives UPX-compressed. Upon execution, it displays the following error message, which states that it is the Wingate program running under an expired license:
Title: WinGate License Failure
Message Body: This copy fo WinGate is unlicensed, or the license has expired. WinGate will not operate without a valid license. Consult the help file for information on licensing WinGate
This backdoor program uses port 23 to facilitate its malicious routine. It has three components, namely:
MMTASK.EXE
SETTINGS.REG
VMLOAD.VXD
MMTASK.EXE is the UPX-compressed copy of the WinGate program, which is a legitimate Windows 9x/NT utility for modem-sharing across Local Area Networks. Using MMTASK, a machine may be shared with full access, making it vulnerable to hacking attacks.
SETTINGS.REG is a registry file that contains the settings for sharing a target machine with full access.
VMLOAD.VXD loads MMTASK.EXE, such that this backdoor runs everytime a target machine starts up.
If any one of the above components is not present, this backdoor program does not execute properly.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.