RE: strange software > winsupdater.exe

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 03/16/05

  • Next message: dave_mikesch_at_baxter.com: "Re: strange software > winsupdater.exe" 
    Date: Wed, 16 Mar 2005 09:16:48 -0800 (PST)
To: "Jim Harrison (ISA)" <jmharr@microsoft.com>, sda-cr@racsa.co.cr, incidents@securityfocus.com

    Jim,

    Is your analysis based solely on the name of the file
    given by the OP?

     
    --- "Jim Harrison (ISA)" <jmharr@microsoft.com> wrote:
    > Sounds like it might be a variant of Gaobot:
    >
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.
    > bi.html
    >
    > Jim Harrison
    > Security Business Unit (ISA SE)
    > "I have seen the suitcase in the trash and lived to
    > tell the tale"
    >
    > -----Original Message-----
    > From: sda-cr@racsa.co.cr [mailto:sda-cr@racsa.co.cr]
    >
    > Sent: Tuesday, March 15, 2005 12:39 PM
    > To: incidents@securityfocus.com
    > Subject: strange software > winsupdater.exe
    > Importance: High
    >
    > Hi:
    >
    > We are looking at an abnormal program named
    > "winsupdater.exe" and we are
    > having trouble installing antispyware software on
    > the infected
    > computers,
    > and the antivirus is not detecting the malware.
    > We were able to disable it manual trough regedit,
    > were it leaves a key
    > entry
    > in
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > named
    > "Microsoft Window Updater", but anyone knows if this
    > is a new virus or
    > spyware?
    >
    > Esteban Lara
    > Director de IT
    > Soluciones Digitales de Almacenamiento S.A.
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

  • Next message: dave_mikesch_at_baxter.com: "Re: strange software > winsupdater.exe"

    Relevant Pages

    • Re: w32.hllw.gaobot.qen
      ... Try the Panda online scan ... This was the only scanner which caught one variant of gaobot for me a week ...
      (microsoft.public.security.virus)
    • Re: antivir62.exe
      ... It is a variant of GAOBOT. ... > And what does yr AV app supplier say about it, I take it you've mailed them ... >> Sam. ...
      (microsoft.public.windowsupdate)
    • Re: antivir62.exe
      ... It is a variant of GAOBOT. ... > And what does yr AV app supplier say about it, I take it you've mailed them ... >> Sam. ...
      (microsoft.public.scripting.virus.discussion)