IS THIS A NEW PIECE OF MALWARE? Sure looks like it

Norton Security | Norton Internet Security
1

Windows 7 Ultimate with Norton 360

 

Standard Windows Crash dialog, started showing up on the 24th

Beset Pile Worst Flesh Banal has stopped working

 

Problem signature:
  Problem Event Name:    APPCRASH
  Application Name:    winupd.exe
  Application Version:    3.3.0.0
  Application Timestamp:    4ed8a0e4
  Fault Module Name:    jvm.dll
  Fault Module Version:    19.1.0.2
  Fault Module Timestamp:    4d4a3fae
  Exception Code:    c0000005
  Exception Offset:    000c87b2
  OS Version:    6.1.7601.2.1.0.256.1
  Locale ID:    1033
  Additional Information 1:    db06
  Additional Information 2:    db06c82ad6f4bca394604aa3f38d5a06
  Additional Information 3:    42fb
  Additional Information 4:    42fb9357df8448e25c14bdca5568b9d4

 

Windows application event logs show the error as:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-12-27T13:57:54.000000000Z" />
<EventRecordID>15340</EventRecordID>
<Channel>Application</Channel>
<Computer>Moose-Desktop</Computer>
<Security />
</System>
- <EventData>
<Data>winupd.exe</Data>
<Data>3.3.0.0</Data>
<Data>4ed8a0e4</Data>
<Data>jvm.dll</Data>
<Data>19.1.0.2</Data>
<Data>4d4a3fae</Data>
<Data>c0000005</Data>
<Data>000c87b2</Data>
<Data>8e0</Data>
<Data>01ccc49e359ab926</Data>
<Data>C:\Users\Moose\AppData\Local\Temp:winupd.exe</Data>
<Data>C:\PROGRA~2\Java\jre6\bin\client\jvm.dll</Data>
<Data>c573988d-3092-11e1-b61f-0002760e0002</Data>
</EventData>
</Event>

 

But in C:\Users\Moose\AppData\Local\Temp -- there is no file named winupd.exe

 


jvm is, of course, the Java Virtual Machine. five or six versions of that with old date stamps.

 

 

The first time I saw this was on the 24th.

 

 

Most of my Desktop icons (office, browers) were all disabled (the shortcuts pointed to Windows Temp), Outlook would only open a mail message with outicon.exe attached as an executable.  Firefox would barely run until I disabled add ons, same for IE, and Chrome.  Safari was unaffected.

 

 

outicon.exe is located in C:\Windows\Installer\{9012000-0030-000-000-000000000FF1CE} with a date/time stamp of 12/15.  It is attached -- was there an office update on the 15th?

 

 

Ran a full scan of everything.  Norton 360 found the usual tracking cookies.  Did the usual things (checked startup files, registry, scrubbed temp folders), and such.

 

 

Other computers on the local network reporting endless attempts to enter via port 1900 (unp Plug&Play) as often as 10 times a second.

 

 

When this dialog appears my log reports that new firewall rules were created for :winupd.exe with numerous unauthorized access blocked by Windows Management Instrumentation (WMI Services).

 

 

I am seeing this in the Norton Log:

"An intrusion attempt by 178.17.163.189 was blocked"

"An intrusion attempt by 69.4.230.24 was blocked"

 

 

Looking at the Windows Update log, I seem to have more than the usual number of "Update XXXX ... is regulated and can NOT download" but this may or may not be related.

 

 

A Google search for "Beset Pile Pato Worst Flesh Banal" returns nothing.

If this isn't a new piece of malware it is sure acting like one.