Wilders Security Forums  

Go Back   Wilders Security Forums > Other Security Topics > malware problems & news
Reload this Page What's up with this worm?.
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Search this Thread
  #1  
Old March 19th, 2006, 05:29 PM
tobacco's Avatar
tobacco tobacco is offline
Frequent Poster
  
Join Date: Nov 2005
Location: British Columbia
Posts: 1,460
Default What's up with this worm?.
Thought i would mention this because i've seen "wupdmgr1.exe listed in some of the hijackthis logs posted in forums and no mention was made of it.It is malicious, to what extent i don't know but here is the link.



http://www.dslreports.com/forum/remark,15359524
__________________
Sent From My New "ipod killer" - the Samsung Galaxy Media Player 5.0
  #2  
Old June 14th, 2006, 10:20 AM
connarch connarch is offline
Infrequent Poster
  
Join Date: Jun 2006
Posts: 1
Default Re: What's up with this worm?.
June 2, 2006

It is definitely a worm. I've had it get through twice in 6 months (January 19 2006, and June 2, 2006) through a single open port I use to transfer files with others (P2P).

As the thread in http://www.dslreports.com/forum/remark,15359524 describes it is a self install version of SETIATHOME BOINC that imbeds itself in the ../windows/system32.

I've manually removed it twice because none of the virusscan companies consider it very serious (I guess).

It arrives via Install Source:

C:\DOCUMENTSA AND SETTINGS\(LOCAL USER)\LOCALSETTINGS\Temp\RarSFX0\

and creates a windows installer package:

Local Package:
C:\WINDOWS\Installer\212d53.msi

Goes into the windows registry as:

Modify Rath/Uninstall String:
MsiExec.exe /I{C84AF6B4-168C-4469-B859-7066B037AA02}

After it is installed, the files created in the /system32 folder are:

wupdmgr1.exe this is the executable that runs in the background. It is a customized version of BOINC

boinc.dll the dynamic link library

and data collection files:

stderrdae.txt
stdoutdae.txt
dc1595.xml
client_state.xml
client_state_previous.xml
sched_reply_setiathome.berkely.edu.xml
sched_request_setiathome.berkely.edu.xml
statistics_setiathome.berkely.edu.xml

Except for the wupdmgr1.exe file all the files will be dated the same day the install was done so to find them priopitize by date.

The wupdmgr1.exe is dated 01/19/06

Also, if a complete and clean removal isn't done, the program will re-install itself in different directories.

In the ../windows/system32/projects/setiathome.berkely.edu directory:

stderrdae.txt
stdoutdae.txt (this file is critical to refer to because its a log of activity including when the worm was first installed which will lead to when wupdmgr1.exe was installed)
dc1595.xml
client_state.xml
client_state_previous.xml
sched_reply_setiathome.berkely.edu.xml
sched_request_setiathome.berkely.edu.xml
statistics_setiathome.berkely.edu.xml

In the windows directory
boinc.dll

Also, at one point the application ran as setiathome_4.18_windows_intelx86.exe under a created folder called ../windows/system32/slots/0/

Bottom line is that after you remove these files, you need to run a complete system file (including hidden files) AND registry search for the words:

BOINC
SETIAT

That "should" remove it completely

connarchATyahoo.com
 

Wilders Security Forums > Other Security Topics > malware problems & news « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 03:44 PM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums