WindowsUpdate.exe – trojan MSIL/KeyLogger

April 19, 2011 by NightWatcher
Filed under: Malware 
: Solved!

You should Download Removal Tool here...

The file WindowsUpdate.exe is malware related.
You must delete the file WindowsUpdate.exe immediately!
Delete the file WindowsUpdate.exe without delay!
Kill the process WindowsUpdate.exe and remove WindowsUpdate.exe from the Windows startup.

Malware Analysis of WindowsUpdate.exe
Executed: RShack.exe
Removed: WindowsUpdate.exe. Full path: C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: {811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}
Author: lDKjtGJDDe
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MICROSOFT\WINDOWS FIREWALL\WIN32.EXE
Type: ActiveSetup

Item Name: Adobe Drivers
Author: lDKjtGJDDe
Related File: C:\USERS\RICH\APPDATA\ROAMING\MICROSOFT\LOCAL\WINDOWSUPDATE.EXE
Type: Registry Run

Item Name: WindowsUpdate.exe
Author:
Related File: C:\USERS\RICH\APPDATA\ROAMING\MICROSOFT\LOCAL\WINDOWSUPDATE.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry:
HKLM\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}\stubpath
Value:
“C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Firewall\WIN32.exe”

Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers
Value:
“C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe”

Files:
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Firewall\WIN32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Startup SImg.jpeg
C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.04.07 Gen:Heur.MSIL.Krypt.3
Kaspersky 7.0.0.125 2011.04.07 -
Microsoft 1.6702 2011.04.07 TrojanSpy:MSIL/KeyLogger.C
NOD32 6021 2011.04.07 a variant of MSIL/Spy.Keylogger.BE

—————————————————————————————————————————-

MD5 6e4b2ee2929e997e122e6b21b71db77d

SHA1 1f97b57665d114478c0187010ace095bbc278bd5

SHA256 89436930b146767c4db9e2672f1251bb24c7b451e26c4af8e0317f94054e39f7

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:10
———————————-
HKLM\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}
HKCU\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0\0
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell
HKCU\Software\Windows Firewall

———————————-
Values added:14
———————————-
HKLM\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}\stubpath: “C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Firewall\WIN32.exe”
HKLM\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}\ComponentID: “User Account Control”
HKLM\Software\Microsoft\Active Setup\Installed Components\{811JW4PB-02o2-3cqN-23Q3-9taa323qEvMh}\: “Microsoft Windows”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers: “C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Drivers: “C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe”
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1: 58 00 31 00 00 00 00 00 00 00 00 00 10 00 41 70 70 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 00 00 38 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 41 00 70 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 20 00 44 00 61 00 74 00 61 00 00 00 20 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0\0\NodeSlot: 0×00000026
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0\0\MRUListEx: FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0\0: 3C 00 31 00 00 00 00 00 00 00 00 00 10 00 57 69 6E 64 6F 77 73 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\0: 42 00 31 00 00 00 00 00 00 00 00 00 10 00 4D 69 63 72 6F 73 6F 66 74 00 2A 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 00 00 18 00 00 00
HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\1\MRUListEx: 00 00 00 00 FF FF FF FF
HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\38\Shell\FolderType: “Documents”
HKCU\Software\Windows Firewall\TCP Connection Manager: “6Y69x74D2s”

———————————-
Values modified:4
———————————-
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
(-) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\MRUListEx: 00 00 00 00 FF FF FF FF
(+) HKCU\Software\Microsoft\Windows\ShellNoRoam\BagMRU\12\0\0\0\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF

———————————-
Files added:3
———————————-
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Firewall\WIN32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Startup SImg.jpeg
C:\Users\Rich\AppData\Roaming\Microsoft\Local\WindowsUpdate.exe

———————————-
Files deleted:1
———————————-
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gi17c3pt.default\signons.sqlite

———————————-
Folders added:7
———————————-
C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows Firewall
C:\Users
C:\Users\Rich
C:\Users\Rich\AppData
C:\Users\Rich\AppData\Roaming
C:\Users\Rich\AppData\Roaming\Microsoft
C:\Users\Rich\AppData\Roaming\Microsoft\Local

———————————-
Total changes:39
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.