General Spyware Notice: Heads up for Winsvcup and Mswinup
Posted: Thu Oct 05, 2006 10:00 pm
Whilst cleaning up someone's home laptop (Dell) that they brought into the lab; I found two pieces of Malware which I would opine are rather difficult to get rid of and are fairly stealthy;
Winsvcup.exe
and
Mswinup.exe
I managed to pick these up whilst the Dell was hooked up to the network firewall and I kept noticing that not only were these *.exes trying to contact some strange IPs (one a mailsite under the *.ru domain, a bad sign if ever there was one) and had to be cleared by the user to go through the client firewall each and every time. *No* windows program should have to do this once cleared by the user or system-launched. What was slightly disturbing is that it didn't show up on a system scan with Ad-Award Profesional or Spybot S&D and it had to be caught by the latest AVG definitions and the firewall; which should really be the last line of defense should things come to that. It took me quite awhile to discover why exactly it didn't flag the other lines of defense when running. It primarily uses the authority of the user to validate itself to the system.
I did a little sniffing and found that, while it does report token information on your system, it generall just changes registry values for other programs to take advantage of. On the system in question, however, this was mainly nullified by a weekly registry scan&fix operation as many of the keys it changes are mostly invalid if the malware it is changing it for doesn't exist on the system.
Cleaning it up with Prevx seems to get rid of it, as well as just deleting the executables and seeing whether or not they come back. Fairly easy, but sneaky at first. Thought I might put this information here just in case anybody wants to check.
Moral: *Always* watch whatever you clear to get past your firewall(s).
Winsvcup.exe
and
Mswinup.exe
I managed to pick these up whilst the Dell was hooked up to the network firewall and I kept noticing that not only were these *.exes trying to contact some strange IPs (one a mailsite under the *.ru domain, a bad sign if ever there was one) and had to be cleared by the user to go through the client firewall each and every time. *No* windows program should have to do this once cleared by the user or system-launched. What was slightly disturbing is that it didn't show up on a system scan with Ad-Award Profesional or Spybot S&D and it had to be caught by the latest AVG definitions and the firewall; which should really be the last line of defense should things come to that. It took me quite awhile to discover why exactly it didn't flag the other lines of defense when running. It primarily uses the authority of the user to validate itself to the system.
I did a little sniffing and found that, while it does report token information on your system, it generall just changes registry values for other programs to take advantage of. On the system in question, however, this was mainly nullified by a weekly registry scan&fix operation as many of the keys it changes are mostly invalid if the malware it is changing it for doesn't exist on the system.
Cleaning it up with Prevx seems to get rid of it, as well as just deleting the executables and seeing whether or not they come back. Fairly easy, but sneaky at first. Thought I might put this information here just in case anybody wants to check.
Moral: *Always* watch whatever you clear to get past your firewall(s).