Hello everyone.
I have a vendor msi, which installs fine. After I open the application it automatically checks for software updates. If the version is old it installs the update files into a folder. The update files are stored in a very strange format. They are stored in htm files, and the maximum size of each one is 1,954kb. The first update contains 6.34mb worth of these files. The 2nd is 21mb.

After the update downloads the htm files it then ask, "Do you want me to install downloaded files" I say yes and it takes off. I used process monitor to watch it.

onlineupdate.exe -- silentupdate (This checks the version, and then starts the download. It runs every start up of the application)

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dyguni68.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2A.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC29.tmp"

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\w734nu-t.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2C.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2B.tmp"

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dpmjzv1d.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2E.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2D.tmp"

C:\WINDOWS\System32\logon.scr /s

"C:\WINDOWS\system32\defrag.exe" -p 3fc -s 00000E9C -b C:

DfrgNtfs.exe -Embedding

So, this is the update process. My guess, whatever program is running the update, extracts the htm files to the temp folder as .tmp files and runs them with .net framework.

Has anyone ever seen anything like this? Any recomendations I should try? For now I guess i'm going to try to capture those.tmp files and play with those above command lines.

Thanks in advance
-magnum
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
ORIGINAL: kjk3407

Hello everyone.
I have a vendor msi, which installs fine. After I open the application it automatically checks for software updates. If the version is old it installs the update files into a folder. The update files are stored in a very strange format. They are stored in htm files, and the maximum size of each one is 1,954kb. The first update contains 6.34mb worth of these files. The 2nd is 21mb.

After the update downloads the htm files it then ask, "Do you want me to install downloaded files" I say yes and it takes off. I used process monitor to watch it.

onlineupdate.exe -- silentupdate (This checks the version, and then starts the download. It runs every start up of the application)

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dyguni68.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2A.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC29.tmp"

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\w734nu-t.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2C.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2B.tmp"

"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dpmjzv1d.cmdline"

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2E.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2D.tmp"

C:\WINDOWS\System32\logon.scr /s

"C:\WINDOWS\system32\defrag.exe" -p 3fc -s 00000E9C -b C:

DfrgNtfs.exe -Embedding

So, this is the update process. My guess, whatever program is running the update, extracts the htm files to the temp folder as .tmp files and runs them with .net framework.

Has anyone ever seen anything like this? Any recomendations I should try? For now I guess i'm going to try to capture those.tmp files and play with those above command lines.


That is a very strange way to update an application. what kind of app is it? Also I find it suspicious that it launches defrag.exe and logon.scr (which can contain malicious code). See if you can get to the point where before it asks you to update the app, if you can just get those compressed htm files (more strangeness)...and look at what is in them.
Answered 04/02/2008 by: aogilmor
Ninth Degree Black Belt

Please log in to comment
0
I'd bet those HTMs are actually XML files, disguised with a different extension...

I'd also share Owen's concern about the other EXEs they're running. Vendors have no place running defrag on my workstations, thank you! And as for LOGON.SCR...it beggars belief, it really does. I'd be having serious words with them, if I were you.
Answered 04/03/2008 by: VBScab
Red Belt

Please log in to comment
0
The application is a planning and marketing tool. I made a mistake on the defrag and logon.scr capture. I allowed the screensaver to come on before ending the capture. And our disk defrager is set to run on screensaver mode. My apologies for that. So, I opened the htm file and this is what is contained in it:

ÆÒA PK (^*7çI¬ ó serialization…QÑNÂ0 }7ñ¬–¾³¶à I)QˆÆ ³ –˜¦Ü±Æ¬%mqà×;•1 câã9çžžÛsÙüXäÁX§Œž! €–f«ôn†
> LÐœ_^°[kÅé%½W9<êÔ •M»éÑ© ʼßO1.Ë2,G¡±;’Ù ¼ƒøSŠí“$œö ü òK ‚™Raä%äWÀõ ÌŒÞ^°]¬t3 0Óo‚úIÃ[³T2’•NèÛñ¦¾ „‹ ˜Ç á.îüáµÐµf‹Å…õêV¬ G ¢ÂˆY†€ ~¡fTñ|jI7`£7(¶¯¬ûÙšU `1cºÈ¸a§¯D‚ì9_¶ÿ«
>g7
¨J¦^h1ôDÝ•õ ¿bÀü X²Öº(Ž¢ Ád£JƤ}/ÀZµ£ow œI1c€ =Þ5Éá MÐÂ4=¶³T²|²áHÀÉiˆV§ “ð G42 µ3.âîE€¨Ó‹ý\,¬e;-$a 4ѐÉÁ¬Q†‡Ù>8ÏÑ r£¾JXÈŸÏm Uö³¡a
Þ]¬’ö êø öª¼^ÝG ^J¨ìDX…Á´9Š “þ FUœpìE5~ˆ) ¾/ÿ© ? ¦ „×+ùœŒ¬žh2÷ÅVöÍª’®¨|qŠjk4ïâÀ §Æ^I º@ ”Q‡´|wøa{. ³
ßt]ÓuÝŸ¬)±½*RÃúün„½Õ sw5Žžüöw•4àØ^å¾p kmÜㆠt è÷Ž Âf×þ j{•˜;Œ ¯Ûÿ” ?V› @¹ÿô8Š¬Ò-[äO»´{’œ ; –R° ÄOÚŒ¬ò|¢OÃ7¾ Ó ¥½1UX±ý¹ª?qbzÍæ[| Þ¯I…
ÖüùÈöê8OÞ‚¶ «_+À {´^èøæ«j)ÝWÅ‹©7Gï€9 ¾`:òµ½r •~à €lÊ€ïK Ö —_Ý⬖€òΦ¤[;Ëß ¬>¼)na¥_Èb°Œ]ô¶÷êd {/ ¾_]äÛËS£8”Ãä֛؁g ¹iýtV RêXò à ¤D’¶¡1²Ì€ ¾¦ ÿ “| “¬ )(Š;邵[®¨¬ý`óºÇ˜×"»ÛÒ(/Ô'6Ò¾Çu ë °Ã ˆz +Jú Ðåô$£TX ¾ x|Ȭfâw=¬“fbõxY¤ ]¢þ¹e ‚I–¥aÞ„
Ÿ wî ᥽ÂÒèŒ,Ï ^(€ ”Qº > Ü •óý¢°ØgÀV¶ïB Ô#>ˆQªüeÔÂ*ú±€›¤A} M‘ o‘ W‘‘ ,¯öÛ £Ñ°yµ¼é¬*ÏW ÇLa7wFn<ÂTÿˆ?“©¯LÛ" +ë¤ÇJJV½Dâ˜U0iƒRæè „ÿ°syv Áª
à•Pc=Ô/ Ê€õÏ ô8Ôh ÃH‚ÔiHá Ç ãäcƒªË
S{®ýá ¹î&ý VȁJé 7jé‰Ç»£ï÷Ÿ G-¬G ª •_„Íë}¿ÿõ\¨¤¤¬¹¯¬k ÓØýû…A*sþ¾Ù‘uø|~0ÿè\s6…»ƒA‡ÎsVé9¢éC‚ˆ ï§Sq„†¬ J;šù »±Xð
BÜQû‹¦«¼ô´Á½øÇ‘É_Íün×Þô=
ç,801õ xœtN¹ã@wùìSÄù Å úÈ—ÏŠl ~¹ûUžk~ˆ¯ºµ ¦n{+6nì ÔOà÷ûË9™Òm ³\ nQ•¦]H( OG ÏötÿÃá«¿ô¥Á ÇöÏ™MÀåi ™Ÿ¿xEÞŒ¶™ zãŠn_Å)òç?î LÖ¼‚„ çíþ+Ý ùHàÊ# £ˆý
Êšv! ª—ð|«c(5š‚F
½ d¯ ×ÝܼD6ÇÓØ{uÐ||%ýÇb(w»0 ³ÞL¿áÖ Äª‰/ ¥ õ !m!åNÛ®G}µÁ2vú/ÅÇm¶ÓžÛº_'¦E{¬„К Ž +pÌ7âÂX Ç
j+Üg"I¸ ,SþÕÂÒAÔ {19}ºW¬ æ¢ÿ݈ðÜ…
8ď’¸ Ø$½áí::@À Û¢¡kՁ g;æ_™¬µ€ÂÃ…6 «BÊ}t

That is just a small portion of the update. There are 26 mb's of this code.
Answered 04/07/2008 by: kjk3407
Orange Belt

Please log in to comment
0
dyguni68.cmdline ORIGINAL: kjk3407
I opened the htm file and this is what is contained in it:

ÆÒA PK (^*7çI¬ ó serialization…QÑNÂ0 }7ñ¬–¾³¶à I)QˆÆ ³ –˜¦Ü±Æ¬%mqà×;•1
<snip>
That is just a small portion of the update. There are 26 mb's of this code.
So, not HTML or XML, then!

I presume you posted because you want to prevent the update process? All I can suggest is that you contact the vendor, as (I hope) it's unlikely your users will have appropriate rights to update files on workstations.
Answered 04/07/2008 by: VBScab
Red Belt

Please log in to comment
0
Interesting. Well thats fine I can contact the vendor, although it is a freeware program. So, I was a little hesitant about contacting the vendor. Suprisingly enough the update process allows users with strictly user rights to update the software.

The update process simply adds files to the directories of the program, but there is a catch. After the files are updated, added, or replaced they are somehow registered with the program itself. Not like a windows registration, well that's theory one. Or theory two states that the update process creates specific .dll files according to who is logged in. I am not sure.

I don't know if it would be a good idea to let the users update the software. It seems like it might be a security risk.

I guess I could simply remove the online.exe component from the installation to pervent it from running, but I can't seem to incorporate the update before doing so.

Well im off to email the vendor.
Answered 04/07/2008 by: kjk3407
Orange Belt

Please log in to comment
0
I'm just going to turn off automatic updates and the vendor will send us a CD once a year to update with.
Answered 04/08/2008 by: kjk3407
Orange Belt

Please log in to comment
0
Sounds to me that the file is actually a compressed file of some sort, rename it to .zip and open it again.
Answered 04/09/2008 by: AngelD
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity