MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

Hijacked Browser Analysis

4-counter.com 3721

C2.lop browser hijacker

CWShredder

Edmond.exe

Intercom.exe Spyware

MWSOEMON.EXE - MyWebSearch

SearchPage CC Spyware

Spin4Dough Spyware

Sqwire.com home page hijack
Home » Spyware Protection » Hijacked Browser Analysis » Re: HijackThisLog Analysis - P » 

winupdt.exe

This file could be part of the W32 / RBOT-FP WORM!

W32 / Rbot-FP is a worm for the Windows platform that also has backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. It spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate commands from a remote user.

The worm copies itself to the Windows system folder as winupdt.EXE and creates entries at the following locations in the registry so as to run itself on system startup:

  • HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
    Microsoft Update Machine=winupdt.exe
  • HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices \
    Microsoft Update Machine=winupdt.exe
  • HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
    Microsoft Update Machine=winupdt.exe.

W32 / Rbot-FP will also set the registry entries below:

  • HKLM \ SOFTWARE \ Microsoft \ Ole \ EnableDCOM="N"
  • HKLM \ SYSTEM \ ControlSet001 \ Control \ Lsa \ restrictanonymous =dword:00000001
  • HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ restrictanonymous =dword:00000001

commentPost your comment (1) 
Mail this pageMail this page

MAC-NET Secures IT | internet toolkit

© 2004-2008. All Rights Reserved.