Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: strange software > winsupdater.exe

from [Mike Barushok] Network Security [Permanent Link]
Subject: Re: strange software > winsupdater.exe
Date: Wed, 16 Mar 2005 14:50:30 -0600 (CST) 

I found this:
 http://sandbox.norman.no/live_5.html?logfile=105241&menulang=

With details including:
Report created: 03.03.2005 15:52:11 

Automatic Sandbox analysis of unknown malware (W32/Malware)
[ General information ]
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 130048 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\winsupdater.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Windows pack service"="winsupdater.exe" in key 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Windows pack service"="winsupdater.exe" in key 
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates key "HKCU\Software\Microsoft\OLE".
* Sets value "Windows pack service"="winsupdater.exe" in key 
"HKCU\Software\Microsoft\OLE".
* Sets value "restrictanonymous"="" in key 
"HKLM\System\CurrentControlSet\Control\Lsa".

  (character between quotes, after equals sign, could not be pasted)


[ Network services ]
* Looks for an Internet connection.
* Connects to "box1.servepics.com" on port 5525 (TCP).
* Connects to IRC Server.
* Attempts to delete share named "IPC$" on local system.
* Attempts to delete share named "ADMIN$" on local system.
* Attempts to delete share named "C$" on local system.
* Attempts to delete share named "D$" on local system.

   (there is more, I did not quote the entire page, since I would not want
    anyone quoting an entire page of mine without permission).

Hope this helps.

On Tue, 15 Mar 2005, SDA wrote:


Hi:

We are looking at an abnormal program named "winsupdater.exe" and we are
having trouble installing antispyware software on the infected computers,
and the antivirus is not detecting the malware.
We were able to disable it manual trough regedit, were it leaves a key entry
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named
"Microsoft Window Updater", but anyone knows if this is a new virus or
spyware?

Esteban Lara
Director de IT
Soluciones Digitales de Almacenamiento S.A.




--

Mike Barushok
Senior Security Administrator
KeyCreations.com/KCISP.net/ispKansas.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: strange software > winsupdater.exe, Jim Harrison (ISA)
Next by Date:  Re: strange software > winsupdater.exe, Justin
Previous by Thread:  RE: Pubstro rash, David Gillett
Next by Thread:  Re: strange software > winsupdater.exe, Harlan Carvey
Indexes:  [Date] [Thread] [Top] [All Lists]