Hunter's Log: 20060330 -WinsUpdater

HUNTER'S LOG

home | requirements | help | contact | scan now

Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.

Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20060330 115940

Lets take a look at a harmful worm that, quite possibly, could be spreading through emails and file sharing networks as you read this. Downloader.Winsupdater is capable of not only self distribution through emails and file sharing, but will also attempt to disable certain system utilities such as Windows Registry Editor and Task Manager.

This worm, Downloader.Winsupdater, may place itself and it’s backups into the following locations on an infected computer:

%Profile%\Local Settings\Temp\Temporary Directory 1 for a.zip\Setup.exe

%ProgramFiles%\winsupdater\winsupdater.exe
%ProgramFiles%\winsupdater\a.tmp
%ProgramFiles%\winsupdater\a.zip

%ProgramFiles%\winupdates\winupdates.exe
%ProgramFiles%\winupdates\a.tmp
%ProgramFiles%\winupdates\a.zip

Downloader.Winsupdater will drop and hide the following files into the Windows system folder:

%System%\bszip.dll
%System%\cmd.com
%System%\netstat.com
%System%\ping.com
%System%\regedit.com
%System%\taskkill.com
%System%\tasklist.com
%System%\tracert.com

These files will attempt to disable certain Windows utilities to prevent the end-user from troubleshooting and/or successfully removing the infection.

The worm also adds the following entries to the infected computer’s registry to ensure that it gets executed when the computer starts up.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"winsupdater"="C:\Program Files\winsupdater\winsupdater.exe /auto"
"winupdates"="C:\Program Files\winupdates\winupdates.exe /auto"
"(Default)"="winlog.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"(Default)"="winlog.exe"

HKEY_USERS\S-1-5-21-2025429265-838170752-839522115-003\Software\Microsoft\OLE
"(Default)"="winlog.exe"

Once installed, the worm will attempt to distribute itself via emails or file shares and silently connect to a remote location to download and install other harmful files. Thankfully, Spyware Nuker XT can detect and remove this infection. But most importantly, Spyware Nuker XT can prevent the worm’s installer from executing.

End of Entry

Download \| Order Now \| Partners \| Index \| Hunter's Log \| EULA \| Privacy Policy	© 2002-2007 TrekBlue, Inc.