Windows AutoUpdate Trojan Horse

Discussion in 'Trojan Defence Suite' started by Jong, Sep 8, 2003.

Thread Status:
Not open for further replies.
  1. Jong

    Jong Registered Member

    Joined:
    Sep 8, 2003
    Posts:
    1
    Recently my Windows 2000 was attacked by Windows AutoUpdate Trojan Horse; Norton Professional FireWall detected it but did not remove it successfully. Subsequently, the Windows 2000 crashed and rebooted randomly and it was quite difficult to startup.

    I am evaluating a copy TDS-3 and it also does not detect changes in C:\WINNT\system32\wuauclt.exe. Is there any way to detect this type of problem by TDS-3?

    BTW, my solution is at present:

    1) Stopped C:\WINNT\system32\wuauclt.exe from ‘Task Manger’. Delete both C:\WINNT\system32\wuauclt.exe and C:\WINNT\system32\dllcache\wuauclt.exe.

    Search my disk for a clean copy at C:\WINNT\ServicePackFiles\i386 and copy it to the location at C:\WINNT\system32.

    2) Change NoAutoUpdate = 1.

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
    "NoAutoUpdate"=dword:00000001

    3) win xp pro:

    my computer/ propreties/ automatic update and uncheck ''keep my computer up to date''.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello Jong, and welcome!
    Sounds not nice.
    Is it this nasty described here
    After installing TDS, get the latest update manually from the site, configure the system testing to everything checked and on hishest sensitivity and do a full system scan. TDS will find the nasty code if it's still there.
    You've done the other things like deleting the windows update parts already. If there would be changes in the autostart anyway TDS will alert you.
    You can in the (under TDS > Edit TEXT files) CRC32scan.txt add the files you want to be monitored for changes, like this update file.
    Hope this helps and please tell us if it does.

    You speak of win2000 and win xp pro o_O
    XP would have system restore and ask for one step more:
    once clean disable system restore - reboot - enable system restore and manually create a new system restore point, which you might like to test.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Im not sure of the trojan you refer to ?

    There are a few variants of SPYBOT which use a registry startup of "Windows AutoUpdate" however they do not modify any system files. To remove SpyBot, simply delete the 2 registry startup keys and remove the file. TDS should detect any SpyBot variant, at the very least in a Process Memory Scan.

    Edit - or perhaps the blaster worm.. in which case TDS will detect the file and you can remove it and the registry entry.
     
Thread Status:
Not open for further replies.