Classification

Category :

Other

Type :

-

Aliases :

AutoUpder, Downloader-W, Backdoor.AutoUpder, TROJ_SUA.A, TrojanDownloader.Win32.Minstaller

Summary

The AutoUpder is a border case as this is actually a badly written spy/adware rather than a real malware. The software concerned uses the technology called 'BrowserToolbar' and the company that makes use of it has a website with a FAQ here:

https://www.online1net.com/

Removal

To remove the unwanted BrowserToolbar software components from your system it is recommended to delete all files that F-Secure Anti-Virus detects as 'Backdoor.AutoUpder' or as a 'Security Risk of a Backdoor Program'.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

We started to receive reports about suspicious internet connections made from corporate and private computers some time ago and some of our clients discovered sets of files that had appeared on their systems without their knowledge.

We believe that the initial file that was dropped to our clients' systems was MNSVC.EXE. That file is the initial BrowserToolbar downloader component. The file could have been hiddenly dropped by some third-party installation package, but we haven't located the source yet. In any case that file was activated without users' knowledge and it installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. The file then tried to download another executable file called AUSVC.EXE from the www.wwws1.com website.

The AUSVC.EXE file is also a downloader component of BrowserToolbar software and it downloaded the rest of BrowserToolbar software to users' systems. That component also installed itself to system and created startup key for itself in Windows Registry to be always run with Windows. This component downloaded and activated a few more files including the BVT.EXE and ABSR.EXE files.

The BVT.EXE and ABSR.EXE files are the main components of BrowserToolbar software. They work as Internet browser addons and filter incoming and outgoing HTTP traffic caused by the browsers. These components also install themselves to system and create startup keys in System Registry for themselves.

We are detecting the BrowserToolbar software for the following reasons:

1. The software is installed to a system without a notification or user's approval

2. The software hiddenly downloads and activates executable files on a user's system

3. The software uses user's Internet connection without authorisation and sends out generic data about a user's system configuration to a website

Unless the developers of BrowserToolbar fix security and privacy issues with their software, F-Secure Anti-Virus will detect it as a backdoor. We haven't been contacted by the developers of BrowserToolbar by the time of this description creation.

[F-Secure Anti-Virus Research Team; May 23rd, 2002]