Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


AutoUpder


Aliases:


AutoUpder
Downloader-W, Backdoor.AutoUpder, TROJ_SUA.A
TrojanDownloader.Win32.Minstaller

Malware

W32

Summary

The AutoUpder is a border case as this is actually a badly written spy/adware rather than a real malware. The software concerned uses the technology called 'BrowserToolbar' and the company that makes use of it has a website with a FAQ here:

http://www.online1net.com/



Disinfection & Removal

To remove the unwanted BrowserToolbar software components from your system it is recommended to delete all files that F-Secure Anti-Virus detects as 'Backdoor.AutoUpder' or as a 'Security Risk of a Backdoor Program'. Also the BrowserToolbar software page offers removal instructions:

http://www.browsertoolbar.com/removal.html



Technical Details

We started to receive reports about suspicious internet connections made from corporate and private computers some time ago and some of our clients discovered sets of files that had appeared on their systems without their knowledge.

We believe that the initial file that was dropped to our clients' systems was MNSVC.EXE. That file is the initial BrowserToolbar downloader component. The file could have been hiddenly dropped by some third-party installation package, but we haven't located the source yet. In any case that file was activated without users' knowledge and it installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. The file then tried to download another executable file called AUSVC.EXE from the www.wwws1.com website.

The AUSVC.EXE file is also a downloader component of BrowserToolbar software and it downloaded the rest of BrowserToolbar software to users' systems. That component also installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. This component downloaded and activated a few more files including the BVT.EXE and ABSR.EXE files.

The BVT.EXE and ABSR.EXE files are the main components of BrowserToolbar software. They work as Internet browser addons and filter incoming and outgoing HTTP traffic caused by the browsers. These components also install themselves to system and create startup keys in System Registry for themselves.

We are detecting the BrowserToolbar software for the following reasons:

1. The software is installed to a system without a notification or user's approval

2. The software hiddenly downloads and activates executable files on a user's system

3. The software uses user's Internet connection without authorisation and sends out generic data about a user's system configuration to a website

Unless the developers of BrowserToolbar fix security and privacy issues with their software, F-Secure Anti-Virus will detect it as a backdoor. We haven't been contacted by the developers of BrowserToolbar by the time of this description creation.

[F-Secure Anti-Virus Research Team; May 23rd, 2002]







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.