Security Incidents mailing list archives
RE: strange software > winsupdater.exe
From: "Jim Harrison (ISA)" <jmharr () microsoft com>
Date: Wed, 16 Mar 2005 09:27:20 -0800
Hi Harlan, Yes; and the regkey name where it's found. Granted these are hardly definitive clues, but they at least provide a starting point for the search. It could also be as simple (and cruel) as a practical joke, but let's hope not. Jim Harrison Security Business Unit (ISA SE) "I have seen the suitcase in the trash and lived to tell the tale" -----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Wednesday, March 16, 2005 9:17 AM To: Jim Harrison (ISA); sda-cr () racsa co cr; incidents () securityfocus com Subject: RE: strange software > winsupdater.exe Jim, Is your analysis based solely on the name of the file given by the OP? --- "Jim Harrison (ISA)" <jmharr () microsoft com> wrote:
Sounds like it might be a variant of Gaobot:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.
bi.html Jim Harrison Security Business Unit (ISA SE) "I have seen the suitcase in the trash and lived to tell the tale" -----Original Message----- From: sda-cr () racsa co cr [mailto:sda-cr () racsa co cr] Sent: Tuesday, March 15, 2005 12:39 PM To: incidents () securityfocus com Subject: strange software > winsupdater.exe Importance: High Hi: We are looking at an abnormal program named "winsupdater.exe" and we are having trouble installing antispyware software on the infected computers, and the antivirus is not detecting the malware. We were able to disable it manual trough regedit, were it leaves a key entry in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
named "Microsoft Window Updater", but anyone knows if this is a new virus or spyware? Esteban Lara Director de IT Soluciones Digitales de Almacenamiento S.A.
------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- Re: Pubstro rash, (continued)
- Re: Pubstro rash Mark Coleman (Mar 17)
- RE: Pubstro rash Steve Drees (Mar 17)
- RE: Pubstro rash Alexandre Skyrme (Mar 17)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 17)
- Administrivia: Re: strange software > winsupdater.exe Daniel Hanson (Mar 28)