Results 1 to 10 of 10

Thread: winxpupdate.exe- Hackers Army

  1. #1

    winxpupdate.exe- Hackers Army

    AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely? And if I need to replace it, if I run Windows Update will it be replaced by the Microsoft website? Thanks for a great site and a good resouorce for we of the unwashed masses who know little about this stuff.

  2. #2
    It's highly unlikely Microsoft would release a patch entitled "winxpupdate.exe". Usually Microsofts official service packs involve names longer than my.... anyway...

    No - it's more likely an inane rouse designed to make the unsuspecting user open it thinking "this'll solve all my problems" *FIZZLE*

    Seriously, it's a b/s file designed to trick you into executing virii onto your machine- delete it and download proper updates and service packs from microsoft

    http://windowsupdate.microsoft.com/

    Your computer will now be totally secure!!!!!!!!!!!!!!!!!![

    Sarcasm mode: OFF

    Moiss
    # Now if I ever needed inspiration,
    Right about now where I lose my patience,

  3. #3
    Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
    Thanks again.

  4. #4
    Found some more info on this trojan from Trendware's site:
    Description:
    This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.

    It adds a registry entry to ensure its automatic execution at every Windows startup.

    This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.

    It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup.

    Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    Winsock32driver = "winXPupdate.exe"
    Close Registry Editor.

    Then it goes on to say use Task manager to end the process, close system restore and run a scan

    --------------------------------------------------------------------------------

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: winxpupdate.exe- Hackers Army

    Originally posted here by hard candy
    AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely?
    There's nothing to "replace". This file doesn't belong on your computer, remove it.

    Originally posted here by hard candy
    Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
    AFAIK this backdoor doesn't abuse a bug in the system. So the only one to blame is the one that opened the wrong file.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    So the only one to blame is the one that opened the wrong file.
    I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb!

    The dog must have done it when he sent off for that Lassie screensaver.

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    The dog or the cracked software. What is an easy way to distribute a trojan? Modify doom3 or poplular app by wrapping a trojan into the executable and distribute it as "cracked" software.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    I didn't install it, I just installed the cracked software I downloaded
    That has just made my day..

    I hear MS is working on a new patch for all their Operating systems, there are beta versions around the traps.. This is to overcome the weakness that was mentioned Sysmantec have also released an update for their AV products FXid10T.exe it removes the root cause of the problem. The user need to supply 250g of C4 this need to be placed around the HDD the user needs to get realy close to the hdd to watch for problems during the execution..


    info from Trend Micro on this Malware:

    Description:

    This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.

    It adds a registry entry to ensure its automatic execution at every Windows startup.

    This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.

    It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Solution:

    Terminating the Malware Program

    This procedure terminates the running malware process.

    1. Open Windows Task Manager.
    » On Windows 95, 98, and ME, press
    CTRL+ALT+DELETE
    » On Windows NT, 2000, and XP, press
    CTRL+SHIFT+ESC, then click the Processes tab.
    2. In the list of running programs*, locate the process:
    WINXPUPDATE.EXE
    3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    4. To check if the malware process has been terminated, close Task Manager, and then open it again.
    5. Close Task Manager.

    *NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
    3. In the right panel, locate and delete the entry:
    Winsock32driver = "winXPupdate.exe"
    4. Close Registry Editor.

    NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

    Additional Windows ME/XP Cleaning Instructions

    Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

    Users running other Windows versions can proceed with the succeeding procedure sets.
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I wouldn't be THAT dumb!
    BUT
    I just installed the cracked software I downloaded
    AND TO TOP IT OFF, THEY ARE
    files I got from the newsgroups
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb!
    I think that that was an attempt at sarcasm as signified by the .

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •