Re: strange software > winsupdater.exe

From: k levinson (levinson_k_at_yahoo.com)
Date: 03/17/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: strange software > winsupdater.exe" 
    Date: Thu, 17 Mar 2005 10:16:33 -0800 (PST)
To: incidents@securityfocus.com

    You're both right, sort of. File names are not
    totally useless, but one has to be careful and
    understand the caveats.

    Using file names, you can more or less confirm that a
    file is suspicious, but you cannot confirm whether a
    file is legitimate. If google doesn't find anything,
    or everything it finds is bad, that's not good. But
    if google or any other web site does find legitimate
    files with that name, that is inconclusive.

    Also, looking at file names does not reliably identify
    what the malware is, what variant, what it may have
    done to your system, and how to remove it.

    Far more useful and informative is submitting the file
    to a place such as www.virustotal.com for instant
    analysis, and for simultaneously submitting new
    samples to multiple AV vendors. If you know the file
    name, I feel this should be done before searching
    google or posting here.

    People posting file names here should probably also be
    posting 1) the directory path the file was found in,
    in case a legitimate file name [e.g. svchost.exe] is
    found in a nonstandard folder name. I would also
    suggest such people also 2) post the results of a
    google search and 3) results of analysis via one or
    more antivirus programs, such as via
    www.virustotal.com

    Now, if someone was to argue that in the time it took
    you to do a google search, you could have more
    accurately identified the malware by using one or more
    AV scanners, that could be a true statement.

    Or if someone was to say that using file names
    incorrectly presents a danger that a junior tech could
    look up "svchost.exe" and find that it is legitimate,
    or that someone could decide just to delete a bad file
    and not realize that passwords have been logged or a
    second service undeletes the first deleted file, I
    might agree. Just deleting malware [or reformatting
    it away] without accurately identifying it, submitting
    it and understanding it can be very bad for your
    security.

    regards,

    Karl

    > -----Original Message-----
    > From: Jeremy Anderson [mailto:jeremy@angelar.com]

    > Actually, I'd say [filenames are] fairly useful, if
    you plug them
    > into google. Sites like iamnotageek.com have pretty
    good
    > information repositories on what is legitimate and
    what is not.

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: strange software > winsupdater.exe"