Go Back   Computer Forums > General Computing > Hardware
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 07-10-2007, 10:50 AM   #1
Golden Master
 
Brookfield's Avatar
 
Join Date: Apr 2005
Posts: 10,056
Default WIN32/PE patch

AVG detected over a dozen of these at one go, they are safely in the vault, what are they, what's their connection, with Windows, & how dangerous are they?
__________________

Brookfield is offline   Reply With Quote
Old 07-10-2007, 11:05 AM   #2
Daemon Poster
 
Steff's Avatar
 
Join Date: Sep 2006
Posts: 1,435
Send a message via MSN to Steff
Default Re: WIN32/PE patch

Trojan.Win32.PePatch.cp
Type: Malware
Type Description: Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category: Trojan
Category Description: Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level: High
Level Description: High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type: Remove
File Traces: update.exe


Also...




Aliases: [Win32/]Rbot.FAY; [Win32/]Spybot.4wq!Worm (InoculateIT); [Win32/]Packed.Win32.PePatch.aw (Kaspersky); [Win32/]Rbot.FAY;

Date Modified: 11-May-2006
Date Published: 11-May-2006

Description:

Win32.Rbot.FAY is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

This particular variant of Rbot is distributed as a 71,578 byte, Win32 executable that exhibits the following specific characteristics:

When executed this variant copies itself to the %System% directory as W1nUpdate.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKLM\Software\Microsoft\Wind ows\CurrentVersion\Run\Microsoft Windows Update Service = "w1nupdate.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Microsoft Windows Update Service = "w1nupdate.exe"

Note: '%System%' and '%Windows%' are variable locations. The determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
__________________

__________________
hi, i like eggs.
Steff is offline   Reply With Quote
Old 07-10-2007, 11:29 AM   #3
Golden Master
 
Brookfield's Avatar
 
Join Date: Apr 2005
Posts: 10,056
Default Re: WIN32/PE patch

Quote:
Originally Posted by Steff View Post
Trojan.Win32.PePatch.cp
Type: Malware
Type Description: Malware ("malicious software") consists of software with clearly malicious, hostile, or harmful functionality or behavior and that is used to compromise and endanger individual PCs as well as entire networks.
Category: Trojan
Category Description: Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.
Level: High
Level Description: High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Type: Remove
File Traces: update.exe
Blimey, [gulp!] good job they're in the vault then!!!
Brookfield is offline   Reply With Quote
Old 07-10-2007, 11:56 AM   #4
muz
Golden Master
 
muz's Avatar
 
Join Date: Oct 2006
Posts: 6,928
Default Re: WIN32/PE patch

i would do a full system scan as well
__________________
Desktop-AMD Athlon 64 X2 6000+-2GB Elixer DDR2 800 250gb+500gb+500gb+120gb
Laptop-Apple Macbook Pro 13" Intel core i5(2.3ghz) 4gb Ram 320gb hard drive
muz is offline   Reply With Quote
Old 07-10-2007, 12:06 PM   #5
Golden Master
 
Brookfield's Avatar
 
Join Date: Apr 2005
Posts: 10,056
Default Re: WIN32/PE patch

Quote:
Originally Posted by muz View Post
i would do a full system scan as well
I did.
Brookfield is offline   Reply With Quote
Old 07-10-2007, 01:24 PM   #6
Golden Master
 
Raffaz's Avatar
 
Join Date: Sep 2006
Posts: 6,798
Send a message via AIM to Raffaz Send a message via MSN to Raffaz Send a message via Yahoo to Raffaz
Default Re: WIN32/PE patch

Welcome to the world of broadband, its so much easier to get infected on that than it is on dialup.
Raffaz is offline   Reply With Quote
Old 07-10-2007, 01:36 PM   #7
Golden Master
 
Brookfield's Avatar
 
Join Date: Apr 2005
Posts: 10,056
Default Re: WIN32/PE patch

Quote:
Originally Posted by Raffaz View Post
Welcome to the world of broadband, its so much easier to get infected on that than it is on dialup.
I haven't had any for five days.
Brookfield is offline   Reply With Quote
Old 07-10-2007, 01:39 PM   #8
Golden Master
 
Raffaz's Avatar
 
Join Date: Sep 2006
Posts: 6,798
Send a message via AIM to Raffaz Send a message via MSN to Raffaz Send a message via Yahoo to Raffaz
Default Re: WIN32/PE patch

i havent had any for a few years
Raffaz is offline   Reply With Quote
Old 07-10-2007, 06:29 PM   #9
muz
Golden Master
 
muz's Avatar
 
Join Date: Oct 2006
Posts: 6,928
Default Re: WIN32/PE patch

Quote:
Originally Posted by Raffaz View Post
i havent had any for a few years
yeah i had my last one 3 weeks ago on my laptop . But yeah with being connected all the time there are problems
__________________
Desktop-AMD Athlon 64 X2 6000+-2GB Elixer DDR2 800 250gb+500gb+500gb+120gb
Laptop-Apple Macbook Pro 13" Intel core i5(2.3ghz) 4gb Ram 320gb hard drive
muz is offline   Reply With Quote
Old 07-10-2007, 06:37 PM   #10
Golden Master
 
DJ-CHRIS's Avatar
 
Join Date: Apr 2006
Posts: 5,203
Send a message via AIM to DJ-CHRIS Send a message via MSN to DJ-CHRIS Send a message via Yahoo to DJ-CHRIS
Default Re: WIN32/PE patch

Quote:
Originally Posted by Brookfield View Post
AVG detected over a dozen of these at one go, they are safely in the vault, what are they, what's their connection, with Windows, & how dangerous are they?
So it looks like this was an initial backdoor, than someone would use it to install more software to attack other computers (DDOS attack)

I havn't had a virus for years*

*on my main computer or laptop, I play around with virus's quite a bit in test enviroments.
__________________

DJ-CHRIS is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 01:33 PM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0