Re: strange software > winsupdater.exe

From: Mike Barushok (barushok_at_keycreations.com)
Date: 03/16/05

Next message: Justin: "Re: strange software > winsupdater.exe"

Previous message: Jim Harrison (ISA): "RE: strange software > winsupdater.exe"
In reply to: SDA: "strange software > winsupdater.exe"
Next in thread: Harlan Carvey: "Re: strange software > winsupdater.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Mar 2005 14:50:30 -0600 (CST)
To: SDA <sda-cr@racsa.co.cr>

I found this:
http://sandbox.norman.no/live_5.html?logfile=105241&menulang=

With details including:
Report created: 03.03.2005 15:52:11

Automatic Sandbox analysis of unknown malware (W32/Malware)
[ General information ]
* **Locates window "NULL [class mIRC]" on desktop.
* File length: 130048 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\winsupdater.exe.
* Deletes file 1.

[ Changes to registry ]
* Creates value "Windows pack service"="winsupdater.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Windows pack service"="winsupdater.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates key "HKCU\Software\Microsoft\OLE".
* Sets value "Windows pack service"="winsupdater.exe" in key "HKCU\Software\Microsoft\OLE".
* Sets value "restrictanonymous"="" in key "HKLM\System\CurrentControlSet\Control\Lsa".

(character between quotes, after equals sign, could not be pasted)

[ Network services ]
* Looks for an Internet connection.
* Connects to "box1.servepics.com" on port 5525 (TCP).
* Connects to IRC Server.
* Attempts to delete share named "IPC$" on local system.
* Attempts to delete share named "ADMIN$" on local system.
* Attempts to delete share named "C$" on local system.
* Attempts to delete share named "D$" on local system.

(there is more, I did not quote the entire page, since I would not want
anyone quoting an entire page of mine without permission).

Hope this helps.

On Tue, 15 Mar 2005, SDA wrote:

> Hi:
>
> We are looking at an abnormal program named "winsupdater.exe" and we are
> having trouble installing antispyware software on the infected computers,
> and the antivirus is not detecting the malware.
> We were able to disable it manual trough regedit, were it leaves a key entry
> in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named
> "Microsoft Window Updater", but anyone knows if this is a new virus or
> spyware?
>
> Esteban Lara
> Director de IT
> Soluciones Digitales de Almacenamiento S.A.
>
>

--
Mike Barushok
Senior Security Administrator
KeyCreations.com/KCISP.net/ispKansas.com

Next message: Justin: "Re: strange software > winsupdater.exe"

Previous message: Jim Harrison (ISA): "RE: strange software > winsupdater.exe"
In reply to: SDA: "strange software > winsupdater.exe"
Next in thread: Harlan Carvey: "Re: strange software > winsupdater.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]