Monday, September 13, 2010

Recent VBmania Mass Mailer Malware Deleted the Windows Automatic Updates Service

It looks like the recent VBmania ("Here You Have" and "Just for You") mass mailer malware deleted the Automatic Updates service from infected machines. Microsoft Automatic Updates, WSUS, and SCCM-integrated WSUS need the Automatic Updates service working to successfully install monthly Microsoft patches and other updates.

It looks like reinstalling the Automatic Updates service fixes the damage on affected machines.  Your antivirus tool won't restore this broken configuration for you.  You will need to do that as a follow up activity after the initial infections have been removed.

A quick way to tell if a machine lost its Automatic Updates service is to run services.msc (Start --> Run --> services.msc --> hit enter).  On a clean and healthy Windows XP machine, you should see an entry like what is circled in red below. 




Below is the disassembly of a portion of the relevant code from the most common variant of the malware referencing the "wuauserv" service name in preparation for disabling that service.  The malware deletes the wuauserv service entirely.   Click the image for a more legible view of the disassembly.



We have prepared a completely silent software deployment package to deploy out through your normal software deployment tool to fix Automatic Updates service instances broken by the VBmania/MM mass mailer worm. A normal reinstallation doesn't work due to the way the malware broke the service.  This fixer package takes care of repairing that damage for you.  This package will work through SCCM, Tivoli, Marimba, CA DSM, ZENworks, or any other software deployment system you might have. You can also PSexec it out silently as required.  Given the serious nature of this problem, we are offering our fixer package for the low price of $50 USD - and that includes whatever follow up email-based support you need for cleanup and to answer any questions you might have about the data and access credential leakage vector this malware has.  As always that is backed by our 100% money back satisfaction guarantee.  Please contact us at sales@sharpesecurity.com if you need any assistance cleaning up after, or if you need help determining if any sensitive data or access credentials leaked during this outbreak.


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

No comments:

Post a Comment