| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 51955 | 2004-12-05 21:46:00 | WUAMGR.EXE | drb1 (4492) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 299743 | 2004-12-05 21:46:00 | wuamgr.exe Google no nothing. Dont know what it really is but turned up this am. internet brousers would not display but data sent and recieved, too much. would not be shut down in taskmanager and removed in normal mode. Shut down, re start, and deleted in safe mode, brousers returned to normall. AVg, STINGER, A2, did not see or dislike, of course lives in sys32, name is ominous. FYI. D. |
drb1 (4492) | ||
| 299744 | 2004-12-05 22:08:00 | Looks like it might be something like this. securityresponse.symantec.com |
Spacemannz (808) | ||
| 299745 | 2004-12-05 22:10:00 | Try again! might be a good idea to update your system, after u remove it W32 . Spybot . Worm is a detection for a family of worms that spreads using KaZaA file sharing and mIRC . This worm can also spread to computers that are infected with common backdoor Trojan horses . W32 . Spybot . Worm can perform different backdoor-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions . Newer variants may also spread by exploiting the following vulnerabilities: The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135 . The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011) . The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434 . The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80 . The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059) . The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445 . Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied . Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049 . Also Known As: Worm . P2P . SpyBot . gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot . worm . gen [McAfee], WORM_SPYBOT . GEN [Trend], Win32 . Spybot . gen [Computer Associates] Type: Worm Infection Length: various Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3 . x Virus Definitions (Intelligent Updater) * April 16, 2003 Virus Definitions (LiveUpdate™) ** April 16, 2003 * Intelligent Updater definitions are released daily, but require manual download and installation . Click here to download manually . ** LiveUpdate virus definitions are usually released every Wednesday . Click here for instructions on using LiveUpdate . Wild Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: High Threat containment: Easy Removal: Moderate Threat Metrics Wild: Medium Damage: Medium Distribution: Medium Damage Payload: Releases confidential info: Sends personal data to an IRC channel . Compromises security settings: Allows unauthorized commands to be executed on an infected machine . Distribution Shared drives: Spreads using the KaZaA file-sharing network, as well as through mIRC . When W32 . Spybot . Worm is executed, it does the following: Copies itself to the %System% folder . Some variants may have the file name Bling . exe or Wuamgrd . exe . Note: %System% is a variable . The worm locates the System folder and copies itself to that location . By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP) . Can be configured to create and share a folder on the KaZaA file-sharing network, by adding the following registry value: "dir0"="012345:<configurable path>" to the registry key: HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm . Can be configured to perform Denial of Service (DoS) attacks on specified servers . Can be configured to terminate security product processes . Connects to specified IRC servers and joins a channel to receive commands . One such command is to copy itself to many hard-coded Windows Startup Folders, such as the following: Documents and Settings\All Users\Menu Start\Programma's\Opstarten WINDOWS\All Users\Start Menu\Programs\StartUp WINNT\Profiles\All Users\Start Menu\Programs\Startup WINDOWS\Start Menu\Programs\Startup Documenti e Impostazioni\All Users\Start Menu\Programs\Startup Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup Documents and Settings\All Users\Start Menu\Programs\Startup Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder . These files may have file names such as TFTP780 or TFTP###, where # can be any number . Adds a variable registry value to one or more of the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\OLE For example: "Microsoft Update" = "wuamgrd . exe" or "Microsoft Macro Protection Subsystem" = "bling . exe" May log keystrokes to a file in the System folder . May send personal information, such as the operating system, IP address, user name, and so on, to the IRC server . May open a backdoor port . May register itself as a service . May spread by exploiting the following vulnerabilities: The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135 . The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 139 and 445 . The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434 . The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80 . The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059) . The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445 . Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied . Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049 . |
Spacemannz (808) | ||
| 299746 | 2004-12-05 22:27:00 | > Looks like it might be something like this . > > . symantec . com/avcenter/venc/dat" target="_blank">securityresponse . symantec . com > /w32 . spybot . worm . html > Maybee, avg and stinger get all the others, if its a new variant theyll catch up soon . Nortons products do not get anywher near any comp I work on or with . I dont use this doze very much and im not having it ruined buy all those nunessecary Auto updates Ii have no controll over . Once their in the damm thing wont work properly, a few bugs are easier to kill, this is the first time ive seen that title . Windows updates open as many vunrabilities as they close . I shall just have to type password in . or learn to use profiles in firefox instead of using IE for one @mail add, that will be how I got the nastie . D . |
drb1 (4492) | ||
| 1 | |||||