Updated.exe

  • Thread starter Thread starter Jim
  • Start date Start date
J

Jim

Microsoft's spyware program (and Webroot's Spysweeper)
both failed to catch a piece of spyware -- but I was able
to isolate the problem by using the "startup files" tool
and the "running processes" tool under the advanced tools
options. The "Delete" option did not work, but
the "block" option does work. The offending program
is ..\system32\updated.exe -- anyone heard of this little
gem? It creates a local (outbound) denial of service
attack.

\jm
 
Gunilla,

Thanks for the pointer -- saw that one already, but my
pest is a different breed altogether.

\jm
 
Hi Jim.

Care to explain how you mean? It could be useful as there was not much to
find about it, and many legal files had the same name.

Gunilla.
 
Gunilla,

I'll post more data when we know more -- but here are the
basics.

- We believe that we contracted the infection from one of
our associates who got it from his graduate school
network.

- I don't yet know how it replicates or installs, we only
know what happens when a machine gets infected.

- Infected machines have a program <winroot>\system32
\updated.exe -- the date of the file is the date of the
infection. The program has hidden/system/read-only
attributes set. So, you can see it with a directory
listing and you can't delete it. The microsoft
antispyware program displays the program in "running
programs" advanced tools under system explorer and there
is a registry entry that causes updated.exe to run when
windows runs.

- Behavior. The program does not ~appear~ to start
causing problems right away. Some users that were
infected on day one did not appear to cause problems
until the 2nd or 3rd day of the infection. The
updated.exe program throws TONS of incomplete packets at
the gateway (a watchguard firewall in our case).
Ipmonitor and like programs did not see the activity,
probably because they were incomplete packets. However,
the firewall almost immediately throws off NAT errors and
effectively blocks all outside network access from inside
the network.

- Removal. Reboot the machines in safe mode with no
networking. Run cmd and:

cd <winroot>\System32
attrib -h -s -r updated.exe
del updated.exe

Run Explorer and delete temporary internet and temp files
for all users on the machines documents and
settings\<userid>\local settings (which is hidden by
default).

Reboot in regular mode.

More to follow.

\jm
 
Jim said:
Microsoft's spyware program (and Webroot's Spysweeper)
both failed to catch a piece of spyware -- but I was able
to isolate the problem by using the "startup files" tool
and the "running processes" tool under the advanced tools
options. The "Delete" option did not work, but
the "block" option does work. The offending program
is ..\system32\updated.exe -- anyone heard of this little
gem? It creates a local (outbound) denial of service
attack.
Click to expand...
Here are a couple of links from systeminternals that may help:
http://www.sysinternals.com/utilities/rootkitrevealer.html

http://www.sysinternals.com/utilities/autoruns.html

You might want to read this thread first:
http://www.broadbandreports.com/forum/remark,13925897
"Microsoft plans to integrate rootkit detection technology from its
Strider Ghostbuster research project into future versions of the
Windows AntiSpyware application..."

Bob Vanderveen
 
Thanks Jim. I will wait with interest. :-))

Gunilla.

Jim said:
Gunilla,

I'll post more data when we know more -- but here are the
basics.

- We believe that we contracted the infection from one of
our associates who got it from his graduate school
network.

- I don't yet know how it replicates or installs, we only
know what happens when a machine gets infected.

- Infected machines have a program <winroot>\system32
\updated.exe -- the date of the file is the date of the
infection. The program has hidden/system/read-only
attributes set. So, you can see it with a directory
listing and you can't delete it. The microsoft
antispyware program displays the program in "running
programs" advanced tools under system explorer and there
is a registry entry that causes updated.exe to run when
windows runs.

- Behavior. The program does not ~appear~ to start
causing problems right away. Some users that were
infected on day one did not appear to cause problems
until the 2nd or 3rd day of the infection. The
updated.exe program throws TONS of incomplete packets at
the gateway (a watchguard firewall in our case).
Ipmonitor and like programs did not see the activity,
probably because they were incomplete packets. However,
the firewall almost immediately throws off NAT errors and
effectively blocks all outside network access from inside
the network.

- Removal. Reboot the machines in safe mode with no
networking. Run cmd and:

cd <winroot>\System32
attrib -h -s -r updated.exe
del updated.exe

Run Explorer and delete temporary internet and temp files
for all users on the machines documents and
settings\<userid>\local settings (which is hidden by
default).

Reboot in regular mode.

More to follow.

\jm
Click to expand...

<Snipped>
 
Back
Top