Re: strange software > winsupdater.exe

[Harlan Carvey <keydet89 () yahoo com>]

Dave,

> Though there is little (or no) info on the file, I
> would bet my last dollar
> that it's a virus or other malware file. Here's why:
> 1) No info on the file through Google or webferret
> searches. If it was
> legit, there would be info. Especially at
> Microsoft's site.

Not necessarily.  There are a great number of Registry
keys, for example, that are in Win2K and above, for
which MS has *no documentation* on.  So assuming that
MS is going to have information about all of it's
files and DLLs is not a safe assumption to make.

However, you _can_ get a warm fuzzy if the file has
the MS file version information compiled into it. 
That warm fuzzy can be increased if the file is
digitally signed by MS.  

> 2) It shouldn't be in the Registry at startup
> locations.

Yes...maybe.  

> 3) It probably has a recent creation date, since it
> was recently placed on your machine.

Well, as simple command (ie, "dir /tc <file>") would
sort of confirm that, wouldn't it?  Adding to that the
LastWrite time from the Run key would be nice.  Oh,
darn...the OP doesn't seem to have that information
avialable.  I wonder why that is??
 
> I would delete it in the Registry and in any
> folders.

Probably a good idea...*after* a root cause analysis
of (a) how it got on the system and (b) what it
did/does has been completed.  And perhaps maybe not
delete, but how about copy it off of the system,
preserving it for analysis?




------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------