Re: strange software > winsupdater.exe

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 03/17/05

  • Next message: Harlan Carvey: "Re: strange software > winsupdater.exe" 
    Date: Thu, 17 Mar 2005 03:08:14 -0800 (PST)
To: dave_mikesch@baxter.com, SDA <sda-cr@racsa.co.cr>

    Dave,

    > Though there is little (or no) info on the file, I
    > would bet my last dollar
    > that it's a virus or other malware file. Here's why:
    > 1) No info on the file through Google or webferret
    > searches. If it was
    > legit, there would be info. Especially at
    > Microsoft's site.

    Not necessarily. There are a great number of Registry
    keys, for example, that are in Win2K and above, for
    which MS has *no documentation* on. So assuming that
    MS is going to have information about all of it's
    files and DLLs is not a safe assumption to make.

    However, you _can_ get a warm fuzzy if the file has
    the MS file version information compiled into it.
    That warm fuzzy can be increased if the file is
    digitally signed by MS.

    > 2) It shouldn't be in the Registry at startup
    > locations.

    Yes...maybe.

    > 3) It probably has a recent creation date, since it
    > was recently placed on your machine.

    Well, as simple command (ie, "dir /tc <file>") would
    sort of confirm that, wouldn't it? Adding to that the
    LastWrite time from the Run key would be nice. Oh,
    darn...the OP doesn't seem to have that information
    avialable. I wonder why that is??
     
    > I would delete it in the Registry and in any
    > folders.

    Probably a good idea...*after* a root cause analysis
    of (a) how it got on the system and (b) what it
    did/does has been completed. And perhaps maybe not
    delete, but how about copy it off of the system,
    preserving it for analysis?

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

  • Next message: Harlan Carvey: "Re: strange software > winsupdater.exe"

    Relevant Pages

    • Re: file named eolwkvp.exe
      ... Out of your path and make sure it is not being called in the Run keys in the registry. ... > It is showing up ini the Windows Task Manager, ... > users, but I can't find anything out about the file via google, and the file ...
      (microsoft.public.win2000.general)
    • Re: SMS 2.0 Component Errors - Pre Upgrade
      ... It's possible that the registry is corrupt, ... The other suggestion is try an upgrade instead of site reset. ... ACLRESET will fix the permissions but will not fix the keys. ... SMS Inventory Data Loader has moved this file to ...
      (microsoft.public.sms.admin)
    • Re: Non admin users cant do things they need to do
      ... You mean they are along with the registry entires? ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
      (microsoft.public.windowsxp.embedded)
    • Re: 0x80070005 Installation Failure message
      ... I wonder why Microsoft ... it had different permissions than other ... Before you modify the registry, ... > one or more registry keys could not be deleted ...
      (microsoft.public.windowsupdate)
    • Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?
      ... malware is known to alter. ... modified policy keys in place, ... Most users don't know what those registry ... MBAM doesn't alert on me for those changes. ...
      (alt.comp.anti-virus)