Quote:
Originally posted by The FiShMaN:
Sorry Tony but that AUPDATE.EXE does load from SYSTEM32 DIR in Win2K.. It is a file from Symantec Corp. It's the Live Update part of the prog.. Thought you may want to know that since you may not be familiar with Win2K as much as you are with XP.
|
This particular Aupdate.exe is a baddy. No legitimate Symantec Aupdate.exe loads at startup this way.
As a matter of fact, I got hold of the file, and reported it.
As a result, Ad-Aware is now targeting it, and it also has been included into the SpyBot S&D beta updates.
I sent it to Andrew Clover to be analyzed, and he came back with the following:
"I'm calling this 'AUpdate'. It is distributed by 'searchbarcash.com', who
run the usual dastardly webmaster affiliate scheme to get it loaded; the
company name given at that site is 'CDT Inc.'.
CDT also run poortals my-internet.info and blazefind.com, which have links
to install pages for AUpdate.
The class ID used by its ActiveX drive-by installer is good old:
018B7EC3-EECA-11D3-8E71-0000E82C6C0D
as used by C2/lop and any number of dialler installers. What is it with
this class ID, was it used as an example in Commercial Malware For Dummies
New Second Edition or something?
The file loaded by this is described as 'IE Plugin' but it's not the same
as the parasite known as 'IEPlugin'. Its path is:
http://public.searchbarcash.com/soft...1.0b//0001.cab
which is signed 10th April 2003 and contains an executable ie_plugin.exe.
This drops aupdate.exe and aupdate.conf into the System[32] folder.
aupdate.exe is added to HKLM...Run under the name 'AutoUpdater'.
aupdate.conf contains, I believe, the URL aupdate.exe will connect to,
but it's in an encoded form; looks crackable but I can't be bothered.
aupdate.exe fetches sequentially numbered executable files:
http://www.my-internet.info/updates/upgrade1.exe http://www.my-internet.info/updates/upgrade2.exe
...
and stops when it gets a 404. It stores the next number to try in the file
aupdate.trk also in the System[32] folder, and presumably tries it again later.
At the moment, upgrades 1 to 3 are available; I'll keep an eye on upgrade4.exe
to see if anything else is installed. The 'upgrades' are:
1: An uninstaller for AUpdate. Adds 'aupdate_uninstall.exe' and 'M01' to
the System[32] folder, and sets up an Uninstall entry for Add/Remove
Programs under the name 'MS AUpdate'.
2: An IE toolbar, using shdocvw.dll to add an HTML page as a toolbar, namely
http://public.searchbarcash.com/bars...ftware_id=0001
This page often triggers pop-up ads. It also hijacks the homepage, to:
http://public.searchbarcash.com/home...ftware_id=0001
The class ID used for the toolbar is:
69550BE2-9A78-11D2-BA91-00600827878D
which is the same as our old friend TinyBar. Indeed the method of
implementing the toolbar is exactly the same as TinyBar, and if you
look at the adjacent install files 0002.cab and 0003.cab you'll see
they contain a TinyBar installer by name. Either CDT Inc. have 'bought'
a TinyBar clone from trixscripts.com, or they have a closer connection
to Asher Nahmias. I'm calling this variant TinyBar/AUpdate."
In short, it's a baddie, and you'd do well to nuke it off your system.
Don't trust me, trust Lavasoft, SpyBot, and Andrew Clover...
Login 
Search 
aupdate on win2k 
aupdate 
Facebook
Twitter
TechGuy.tv
TSG Mobile