25

On a Windows 7 workstation running an up to date antivirus suite (Kaspersky) I found several suspicious processes. To look at the process activity I used the excellent ProcessMonitor from SysInternals.

One of them had an executable name wauctla.exe located in C:\Windows. Update: the name is probably chosen deliberately to be confused with wuauclt.exe - the Windows Update Agent Control utility.

This process runs as a System Service. Using the Management Console services snap-in I was able to change the startup settings for this process from "Automatic" to "Disabled". However there was no way I could stop the running process via the MMC snap-in.

I still managed to stop the process with the taskkill /f /PID command. I restarted the OS and the process is no longer seen in the process list.

There is an excellent thread on superuser on the procedures necessary to remove generic malware from computers running Windows. When the suspicious processes have been stopped and their executable files moved to a safe location away from the executable search path I want to learn more about the new malware.

What sort of threat comes from this file? Is there any antivirus software around that can detect this virus? How does it spread, should I check other computers that were accessed by the same user after this workstation was infected?

Update 2: Following the answers referring to virustotal, here is a link to the virustotal summary of this piece of malware.

Improve this question
21
  • 2
    wauctla.exe isn't malicious. wauctla.exe is used by Windows Update.
    – Ramhound
    Commented Mar 9, 2015 at 10:40
  • 8
    That's wuauclt.exe I believe.
    – Lieven Keersmaekers
    Commented Mar 9, 2015 at 10:53
  • 14
    wauctla.exe is a malware, and it's detected by Avast.
    – Adi
    Commented Mar 9, 2015 at 12:15
  • 1
    You're asking us what this threat does when you haven't even identified it? Does this mean that you don't know how to identify it or that it's not a known threat?
    – Jason
    Commented Mar 9, 2015 at 15:21
  • 4
    @AndréDaniel The difference is shades of grey - the world isn't black and white. Virus not a virus. If you get something from Downloads.com, click accept and get Vosteran Toolbar Awesomifier!!!... you got mal/ad/spy-ware - not a virus/trojan. It's "bonus software" and you clicked accept making it no longer "unauthorized". Should an AV uninstall/remove that? Maybe, maybe not. en.wikipedia.org/wiki/Malware#Grayware - thats why MB/SpyBot/etc are as prevalent as they are.
    – WernerCD
    Commented Mar 9, 2015 at 17:11

2 Answers 2

Reset to default
36

Dont use Process Monitor for that. Use like @DavidPostill suggested VirusTotal but without manually sending files. Process Explorer from SysInternals has built in VirusTotal functionality. Just go to Options -> VirusTotal.com -> Check VirusTotal.com and a column with the header VirusTotal will appear. After a few seconds you will get the VirusTotal rating for each executable.

enter image description here

From Process Explorer you can directly kill the malicious process or find out to which Windows Service started this process and stop and disable this service. This is a good way to do, beacuse if you kill the process the underlying service might immediately recreate the malicious process. To find out the service for a process double-click the process and go to the Services tab.

Improve this answer
3
  • 3
    @AndréDaniel Process Explorer only sends hashes of processes that it scans automatically. To send an entire file for analysis you must do that by manually initiating a scan via the Process or DLL details window (see the Terms of Service dialog box as shown here).
    – I say Reinstate Monica
    Commented Mar 9, 2015 at 17:21
  • @Twisty okay nevermind, didn't know that.
    – user256743
    Commented Mar 9, 2015 at 17:27
  • 1
    Well, your point in the aspects on which it is correct remains valid seeing as it is possible to submit an entire file, just not automatically.
    – I say Reinstate Monica
    Commented Mar 10, 2015 at 3:19
30

How do I to evaluate the threat caused by malware?

You can submit your file to VirusTotal for online analysis.

  • VirusTotal checks the file using over 40 antivirus solutions.
  • This will at least tell you if any antivirus software is able to detect it.
  • If you get a positive identification you can then search for the name of the virus to find out more about how it works and what threat it poses.

What is VirusTotal

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Source VirusTotal

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .