RE: strange software > winsupdater.exe

From: Jim Harrison (ISA) (jmharr_at_microsoft.com)
Date: 03/16/05

  • Next message: Mike Barushok: "Re: strange software > winsupdater.exe"
    Date: Wed, 16 Mar 2005 09:27:20 -0800
    To: "Harlan Carvey" <keydet89@yahoo.com>, <sda-cr@racsa.co.cr>, <incidents@securityfocus.com>
    
    

    Hi Harlan,

    Yes; and the regkey name where it's found.
    Granted these are hardly definitive clues, but they at least provide a
    starting point for the search.

    It could also be as simple (and cruel) as a practical joke, but let's
    hope not.

    Jim Harrison
    Security Business Unit (ISA SE)
    "I have seen the suitcase in the trash and lived to tell the tale"

    -----Original Message-----
    From: Harlan Carvey [mailto:keydet89@yahoo.com]
    Sent: Wednesday, March 16, 2005 9:17 AM
    To: Jim Harrison (ISA); sda-cr@racsa.co.cr; incidents@securityfocus.com
    Subject: RE: strange software > winsupdater.exe

    Jim,

    Is your analysis based solely on the name of the file
    given by the OP?

     
    --- "Jim Harrison (ISA)" <jmharr@microsoft.com> wrote:
    > Sounds like it might be a variant of Gaobot:
    >
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.
    > bi.html
    >
    > Jim Harrison
    > Security Business Unit (ISA SE)
    > "I have seen the suitcase in the trash and lived to
    > tell the tale"
    >
    > -----Original Message-----
    > From: sda-cr@racsa.co.cr [mailto:sda-cr@racsa.co.cr]
    >
    > Sent: Tuesday, March 15, 2005 12:39 PM
    > To: incidents@securityfocus.com
    > Subject: strange software > winsupdater.exe
    > Importance: High
    >
    > Hi:
    >
    > We are looking at an abnormal program named
    > "winsupdater.exe" and we are
    > having trouble installing antispyware software on
    > the infected
    > computers,
    > and the antivirus is not detecting the malware.
    > We were able to disable it manual trough regedit,
    > were it leaves a key
    > entry
    > in
    >
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > named
    > "Microsoft Window Updater", but anyone knows if this
    > is a new virus or
    > spyware?
    >
    > Esteban Lara
    > Director de IT
    > Soluciones Digitales de Almacenamiento S.A.
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------


  • Next message: Mike Barushok: "Re: strange software > winsupdater.exe"