What's up with this worm?.

Discussion in 'malware problems & news' started by tobacco, Mar 19, 2006.

Thread Status:
Not open for further replies.
  1. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    Thought i would mention this because i've seen "wupdmgr1.exe listed in some of the hijackthis logs posted in forums and no mention was made of it.It is malicious, to what extent i don't know but here is the link.



    http://www.dslreports.com/forum/remark,15359524
     
    tobacco, Mar 19, 2006
    #1
  2. connarch

    connarch Registered Member

    Joined:
    Jun 14, 2006
    Posts:
    1
    June 2, 2006

    It is definitely a worm. I've had it get through twice in 6 months (January 19 2006, and June 2, 2006) through a single open port I use to transfer files with others (P2P).

    As the thread in http://www.dslreports.com/forum/remark,15359524 describes it is a self install version of SETIATHOME BOINC that imbeds itself in the ../windows/system32.

    I've manually removed it twice because none of the virusscan companies consider it very serious (I guess).

    It arrives via Install Source:

    C:\DOCUMENTSA AND SETTINGS\(LOCAL USER)\LOCALSETTINGS\Temp\RarSFX0\

    and creates a windows installer package:

    Local Package:
    C:\WINDOWS\Installer\212d53.msi

    Goes into the windows registry as:

    Modify Rath/Uninstall String:
    MsiExec.exe /I{C84AF6B4-168C-4469-B859-7066B037AA02}

    After it is installed, the files created in the /system32 folder are:

    wupdmgr1.exe this is the executable that runs in the background. It is a customized version of BOINC

    boinc.dll the dynamic link library

    and data collection files:

    stderrdae.txt
    stdoutdae.txt
    dc1595.xml
    client_state.xml
    client_state_previous.xml
    sched_reply_setiathome.berkely.edu.xml
    sched_request_setiathome.berkely.edu.xml
    statistics_setiathome.berkely.edu.xml

    Except for the wupdmgr1.exe file all the files will be dated the same day the install was done so to find them priopitize by date.

    The wupdmgr1.exe is dated 01/19/06

    Also, if a complete and clean removal isn't done, the program will re-install itself in different directories.

    In the ../windows/system32/projects/setiathome.berkely.edu directory:

    stderrdae.txt
    stdoutdae.txt (this file is critical to refer to because its a log of activity including when the worm was first installed which will lead to when wupdmgr1.exe was installed)
    dc1595.xml
    client_state.xml
    client_state_previous.xml
    sched_reply_setiathome.berkely.edu.xml
    sched_request_setiathome.berkely.edu.xml
    statistics_setiathome.berkely.edu.xml

    In the windows directory
    boinc.dll

    Also, at one point the application ran as setiathome_4.18_windows_intelx86.exe under a created folder called ../windows/system32/slots/0/

    Bottom line is that after you remove these files, you need to run a complete system file (including hidden files) AND registry search for the words:

    BOINC
    SETIAT

    That "should" remove it completely

    connarchATyahoo.com
     
    connarch, Jun 14, 2006
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...