Security Incidents mailing list archives

Re: strange software > winsupdater.exe

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 16 Mar 2005 12:53:27 +1300

SDA wrote:

We are looking at an abnormal program named "winsupdater.exe" and we are
having trouble installing antispyware software on the infected computers,
and the antivirus is not detecting the malware.
We were able to disable it manual trough regedit, were it leaves a key entry
in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run named
"Microsoft Window Updater", but anyone knows if this is a new virus or
spyware?


Filenames are all but totally useless for diagnosing malware, spyware 
_AND_ the normal operation of a system.

If you suspect the file may be some (new) undesirable thing, send 
copies to your preferred antivirus (and possibly other "security") 
product developers asking them for an analysis and to add detection and 
removal if it turns out that it really is "undesirable" by their 
standard.

To save you looking them up, here are the suspect file submission 
addresses for the better known antivirus engine developers:

   Authentium (Command Antivirus)  <virus () authentium com>
   Computer Associates (US)        <virus () ca com>
   Computer Associates (Vet/EZ)    <ipevirus () vet com au>
   DialogueScience (Dr. Web)       <Antivir () dials ru>
   Eset (NOD32)                    <sample () nod32 com>
   F-Secure Corp.                  <vsamples () f-secure com>
   Frisk Software (F-PROT)         <viruslab () f-prot com>
   Grisoft (AVG)                   <virus () grisoft cz>
   H+BEDV (AntiVir, Vexira engine) <virus () antivir de>
   Kaspersky Labs                  <newvirus () kaspersky com>
   Network Associates (McAfee)     <virus_research () nai com>
     (use a ZIP file with the password 'infected' without the quotes)
   Norman (NVC)                    <analysis () norman no>
   Panda Software                  <labs () pandasoftware com>
   Sophos Plc.                     <samples () sophos com>
   Symantec (Norton)               <avsubmit () symantec com>
   Trend Micro (PC-cillin)         <virus_doctor () trendmicro com>
     (Trend may only accept files from users of its products)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092

Current thread:

strange software > winsupdater.exe SDA (Mar 15)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
  - Re: strange software > winsupdater.exe Justin (Mar 16)
    - Re: strange software > winsupdater.exe Jeremy Anderson (Mar 17)
    - Re: strange software > winsupdater.exe Nick FitzGerald (Mar 28)
    - Re: strange software > winsupdater.exe Paul Laudanski (Mar 28)
    - Pubstro rash David Gillett (Mar 17)
    - Re: Pubstro rash Mark Coleman (Mar 17)
    - RE: Pubstro rash Steve Drees (Mar 17)
    - RE: Pubstro rash Alexandre Skyrme (Mar 17)
    - Re: Pubstro rash Jeff Kell (Mar 18)
    - RE: Pubstro rash David Gillett (Mar 18)

(Thread continues...)