PDA

View Full Version : Windows AutoUpdate Trojan Horse

Jong
September 8th, 2003, 09:23 PM
Recently my Windows 2000 was attacked by Windows AutoUpdate Trojan Horse; Norton Professional FireWall detected it but did not remove it successfully. Subsequently, the Windows 2000 crashed and rebooted randomly and it was quite difficult to startup.

I am evaluating a copy TDS-3 and it also does not detect changes in C:\WINNT\system32\wuauclt.exe. Is there any way to detect this type of problem by TDS-3?

BTW, my solution is at present:

1) Stopped C:\WINNT\system32\wuauclt.exe from ‘Task Manger’. Delete both C:\WINNT\system32\wuauclt.exe and C:\WINNT\system32\dllcache\wuauclt.exe.

Search my disk for a clean copy at C:\WINNT\ServicePackFiles\i386 and copy it to the location at C:\WINNT\system32.

2) Change NoAutoUpdate = 1.

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001

3) win xp pro:

my computer/ propreties/ automatic update and uncheck ''keep my computer up to date''.
Jooske
September 9th, 2003, 05:34 AM
Hello Jong, and welcome!
Sounds not nice.
Is it this nasty described here (http://www.sophos.com/virusinfo/analyses/trojcultb.html)
After installing TDS, get the latest update manually from the site, configure the system testing to everything checked and on hishest sensitivity and do a full system scan. TDS will find the nasty code if it's still there.
You've done the other things like deleting the windows update parts already. If there would be changes in the autostart anyway TDS will alert you.
You can in the (under TDS > Edit TEXT files) CRC32scan.txt add the files you want to be monitored for changes, like this update file.
Hope this helps and please tell us if it does.

You speak of win2000 and win xp pro ???
XP would have system restore and ask for one step more:
once clean disable system restore - reboot - enable system restore and manually create a new system restore point, which you might like to test.
Gavin - DiamondCS
September 10th, 2003, 10:40 AM
Im not sure of the trojan you refer to ?

There are a few variants of SPYBOT which use a registry startup of "Windows AutoUpdate" however they do not modify any system files. To remove SpyBot, simply delete the 2 registry startup keys and remove the file. TDS should detect any SpyBot variant, at the very least in a Process Memory Scan.

Edit - or perhaps the blaster worm.. in which case TDS will detect the file and you can remove it and the registry entry.