Alerts coming from Windows Update cabs

Discussion in 'ESET NOD32 Antivirus' started by SmackyTheFrog, Jan 28, 2011.

Thread Status:
Not open for further replies.
  1. SmackyTheFrog
    Offline

    SmackyTheFrog Registered Member

    I can't say I've ever seen this one before. One of our mobile users was pulling down updates from download.windowsupdate.com (from what I can tell by public DNS records and the IP, this is a valid microsoft website) and a driver for a USB device is being flagged as malicious.

    Code:
    Name	Threat	Action	Information
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab	multiple threats	connection terminated - quarantined	Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe	multiple threats		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe » INNO » file0000.bin	probably a variant of Win32/Agent.LQHLSWT trojan		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.exe » INNO » file0010.bin	Win32/Arurizer.A trojan		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar	multiple threats		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe	multiple threats		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe » INNO » file0000.bin	probably a variant of Win32/Agent.LQHLSWT trojan		
    http://download.windowsupdate.com/msdownload/update/driver/drvs/2008/08/20069747_61412dc9aba9cacfad12955f8049fc57bf505137.cab » CAB » UsbCharger setup V1.1.1.rar » RAR » UsbCharger setup V1.1.1.exe » INNO » file0010.bin	Win32/Arurizer.A trojan		
    
    The connection was initiated by by NT AUTHORITY\SYSTEM, so I'm confident this activity was coming out of the Windows Update service. The directory structure indicates that this cab is from 2008, which makes me suspect a false positive.

    e: I brought down a copy of the cab on my workstation and it was detected with the same definitions, so this isn't a case of downloads getting redirected. I guess it is a possibility that the WU repository was compromised, but that seems unlikely.
  2. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    Issue is under investigation. Thank you for your report.

    Regards,

    Aryeh Goretsky
  3. Marcos
    Online

    Marcos Eset Staff Account

    The detection is correct, even Microsoft detects the malware as Backdoor:Win32/Arurizer.A.
  4. SmackyTheFrog
    Offline

    SmackyTheFrog Registered Member

    Do you guys have any contacts with Microsoft to report this? A security vendor is going to get attention brought to it a lot faster than I ever could.
  5. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    Microsoft has been notified.

    Regards,

    Aryeh Goretsky
  6. chromebuster
    Offline

    chromebuster Registered Member

    Well, they're apparently too chicken to blog about it then since they've not said anything on their main site.
  7. SmackyTheFrog
    Offline

    SmackyTheFrog Registered Member

    Apparently this was a driver for an Energizer USB battery charger. There was a big stink a few years ago because the driver CD shipped with a virus on it, and I guess Microsoft just dumped the whole thing in that cab and said it was ok. It's been removed now.
  8. dmaasland
    Offline

    dmaasland Registered Member

  9. agoretsky
    Offline

    agoretsky Eset Staff Account

    Hello,

    Given that the actual device is no longer sold, I don't think this is something which is going to affect many people.

    I feel Microsoft's response was prompt and appropriate, as started here in ESET's blog.

    Regards,

    Aryeh Goretsky
Thread Status:
Not open for further replies.