RE: strange software > winsupdater.exe

From: Jim Harrison (ISA) (jmharr_at_microsoft.com)
Date: 03/16/05

Next message: Mike Barushok: "Re: strange software > winsupdater.exe"

Previous message: dave_mikesch_at_baxter.com: "Re: strange software > winsupdater.exe"
Maybe in reply to: SDA: "strange software > winsupdater.exe"
Next in thread: Mike Barushok: "Re: strange software > winsupdater.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Mar 2005 09:27:20 -0800
To: "Harlan Carvey" <keydet89@yahoo.com>, <sda-cr@racsa.co.cr>, <incidents@securityfocus.com>

Hi Harlan,

Yes; and the regkey name where it's found.
Granted these are hardly definitive clues, but they at least provide a
starting point for the search.

It could also be as simple (and cruel) as a practical joke, but let's
hope not.

Jim Harrison
Security Business Unit (ISA SE)
"I have seen the suitcase in the trash and lived to tell the tale"

-----Original Message-----
From: Harlan Carvey [mailto:keydet89@yahoo.com]
Sent: Wednesday, March 16, 2005 9:17 AM
To: Jim Harrison (ISA); sda-cr@racsa.co.cr; incidents@securityfocus.com
Subject: RE: strange software > winsupdater.exe

Jim,

Is your analysis based solely on the name of the file
given by the OP?

--- "Jim Harrison (ISA)" <jmharr@microsoft.com> wrote:
> Sounds like it might be a variant of Gaobot:
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.
> bi.html
>
> Jim Harrison
> Security Business Unit (ISA SE)
> "I have seen the suitcase in the trash and lived to
> tell the tale"
>
> -----Original Message-----
> From: sda-cr@racsa.co.cr [mailto:sda-cr@racsa.co.cr]
>
> Sent: Tuesday, March 15, 2005 12:39 PM
> To: incidents@securityfocus.com
> Subject: strange software > winsupdater.exe
> Importance: High
>
> Hi:
>
> We are looking at an abnormal program named
> "winsupdater.exe" and we are
> having trouble installing antispyware software on
> the infected
> computers,
> and the antivirus is not detecting the malware.
> We were able to disable it manual trough regedit,
> were it leaves a key
> entry
> in
>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> named
> "Microsoft Window Updater", but anyone knows if this
> is a new virus or
> spyware?
>
> Esteban Lara
> Director de IT
> Soluciones Digitales de Almacenamiento S.A.
>
>
>
>
>
>
>
>
>
>

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

Next message: Mike Barushok: "Re: strange software > winsupdater.exe"

Previous message: dave_mikesch_at_baxter.com: "Re: strange software > winsupdater.exe"
Maybe in reply to: SDA: "strange software > winsupdater.exe"
Next in thread: Mike Barushok: "Re: strange software > winsupdater.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]