On 14 Dec 2004 at 11:19, Colbeck, Andrew wrote: Thanks Andrew! You are sharp. I spent quite a bit of time on google and on the AV sites without any results.
-Nick Subject: RE: [Declude.Virus] wuaurlt.exe Date sent: Tue, 14 Dec 2004 11:19:50 -0800 Priority: normal From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Send reply to: [EMAIL PROTECTED] > I've seen a variant of RBOT that was similar; the naming format is try > to confuse you that it is part of windows update, which is > wuauserv.exe > > There is a gray area between the antivirus scanners and the spyware > scanners in picking this stuff up. You'll want to get that machine > patched, the registry cleaned for the HKLM, HKDU and the HKCU for > whomever was logged in when it ran. > > If the affected OS has one, you'll also need to empty the > %windir%\prefetch folder, as some antivirus scanners won't find it > because the extension is renamed (or they have a blind spot for that > folder). > > Since this worm has a dropper and an active component, you'll need to > clean out both. > > If your antivirus scanner isn't picking it up, you can use: > > http://housecall.trendmicro.com > > which downloads an ActiveX control version of their scanner, which > will do a full sweep of the local hard drive. > > And yes, this TrendMicro name does have aliases. Depending on which > vendor you talk to, you'll also see it as GAOBOT or SDBOT. This > specific name has no alias, according to this site, which is the only > one I know of that tracks the virus lingo across vendors: > http://www.virusbtn.com/resources/vgrep/index.xml > > There is also this site, to which you can upload a virus to have it > checked by multiple vendors' scan engines and email you a report. > Some engines have been removed due to legal pressures: > http://www.virustotal.com/flash/index_en.html > > Andrew 8) > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Nick > Sent: Tuesday, December 14, 2004 9:40 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.Virus] wuaurlt.exe > > > On 14 Dec 2004 at 12:31, Nick wrote: > > > Has anyone seen or heard of a virus/worm that uses this file? It > > seems > > > to be attacking several pc's at my day job.. > As a follow up - I just found this - > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_R > BOT.ADG&VSect=T > > Nothing on mcafee or fprot though. Is there an alias that exists? > > Thanks again - > > -Nick > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.Virus". The archives can be found at > http://www.mail-archive.com. --- [This E-mail was scanned for viruses > by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
