[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Researching IMISERV (wupdt.exe)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What!?  No Takers?!!!

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_IMISERV.A
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.imiserv.html

PLEASE!!!  Your neighbor is you and the friend is your wife. You
formated and re-installed the machine.

If your not trolling...

You want to infect a butt-load of educational systems (no doubt on an
.edu network, no doubt exposed to the public) with a virus (Trojan
really).

~From McAfee:

This program is not a virus. However, it may seem to have trojan like
behaviour. There is more than one version of this program. Users may
observe a slightly different behaviour.

This program is a download component of the IMIServ application. When
run, it installs itself onto the target machine as %WinDir%\wupdt.exe
. It attempts to download content from a remote server. The following
Registry entries are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Win Server Updt" = WUPDT.EXE

Seems to be installed by some pop-up adverts (this is difficult to
track down).

To enable detection for this program, please refer to the instructions
below about how to configure application-type detections within
VirusScan v7+. Alternatively, users could run the command line scanner
with the /PROGRAM switch.

How much do you make maybe I'll want to work for you.

- --Reece


rlh@xxxxxxx wrote:

| Hello everyone,
|
| I am in the process of developing network security labs for some
| community college students. Very recently I assisted a neighbor
| with removing the IMISERV virus from a friend's laptop. It's not
| possible to get the laptop back, but I would very much like to
| write a lab for my students in which they would operate a machine
| infected with IMISERV, identify the wupdt.exe process, and then
| gather information from the net on how to remove this themselves.
|
| I've been looking all over the net but have not been able to find a
| copy of this virus/trojan. Can anyone point me in the right
| direction?
|
| These are some of the sites I've check so far, but have not been
| able to locate IMISERV:
|
| http://www.infosyssec.net
| http://el-killer.chez.tiscali.fr/Virii.htm
| http://membres.lycos.fr/asle/virii.2.html
| http://www.security.nnov.ru
| http://biohazard.xz.cz
| http://www.astalavista.com
|
| And several others.
|
| Can anyone shed some light on where to grab this?
|
| thx,
|
| rlh


Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFCzOuh9WfFCHCe/LcRAi8aAJ9Enr3FSxD/3FRFPgWgy8vPxROvrwCgkYml
ZfLFI1tuu4LgJys0hY3mLDA=
=8Osj
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/