Thursday, August 26, 2004
By: Matthew Doucette
Warning: A virus, trojan, or any malicious software program can be named anything the creator wishes. This means you cannot completely identify a process by its name only. We recommend using anti-virus and anti-spyware software solutions to protect yourself.
Avoid The Confusion:
The processes wuaudt.exe and wuauclt.exe are the same. The lowercase "c" and "l" sometimes look like a "d" with Windows Task Manager's small font, especially with anti-aliasing enabled. Sometimes aliased text is better for the job, when clarity is at stake:
("wuauclt.exe" looks like "wuaudt.exe" with anti-aliased text!)
My Research on "wuauclt.exe":
It turns out that wuauclt.exe can be a trojan and a legitimate Windows system file. Which you have is questionable.
The legitimate file is a Windows Update process that should only run upon reboot and visits to Windows Update. I would advise checking out the threads I participated in below. Pay attention to when the process runs, as I did and as explained in the threads, to figure out if it is running when it should be running. Here are the threads:
Legitimate process information
Here is the process information for the legitimate wuauclt.exe process:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuauclt/
wuauclt - wuauclt.exe - Process Information
Process File: wuauclt or wuauclt.exe
Process Name: AutoUpdate for WindowsME
Description: Background process responsible for updates to Windows ME. Whenever you connect to the Internet, Wuauclt checks the Microsoft web site for updates to Windows ME.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
So it is the process, for Windows ME... but this has proven to be outdated information...
I have Windows XP, not Windows ME, so I researched to see if not having Windows ME automatically meant that this file is a trojan. It turns out that this is not the case. The file I have is not a virus, but a legitmate Windows file that takes care of updating my Windows XP operating system.
The threads I participated in, further above, show that other Windows XP users also have this process. At first I thought it was only for Service Pack 2 users, but even that was incorrect. One user found the file (working properly) on his non-SP2 Windows XP.
Trojan process information
As for the trojan, in case you have it, Sophos and Symantec have more information on it:
http://www.sophos.com/virusinfo/analyses/trojcultb.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html
The trojan is called, "Cult-B" or "Backdoor.Clt" and is also known as "W32.Cult". It can infect the following systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, and Windows XP.
So is My "wuauclt.exe" a Trojan?
It is hard to answer this question as my file was not a trojan. This means that I do not have experience in catching the virus.
However, I am assuming, and please note that it is an assumption, that this is two ways to catch the virus:
1) Anti-virus
Anti-virus software should catch the virus. This assumption is made due to the fact that Symantec, the creators of Norton AntiVirus, have the trojan listed on their website (same link posted above):
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html
2) Turning off Automatic Updates
Turn off Automatic Updates using services.msc (Start, Run, Type "services.msc", Press Enter. Right Click "Automatic Updates", go to Properties, Select "Disable" Startup type.) It has been suggested that turning off Automatic Updates in the Control Panel does not actually shut down the process. So, with Automatic Updates actually shut off, the process should not run. It should not run even if you elect to manual update your Windows operating system by visiting Windows Update. (If it does run, you have not shut down the service properly.) The message I receive from Window Updates, with Automatic Updates shut down, reads like this: "Windows Update cannot continue because a required service application is disabled. Windows Update requires the following services: Automatic Updates enables detection, downloading, and installation of critical updates for your computer."
If the process shows up with Automatic Updates shut off (via services.msc) then the process is probably the trojan. Please contact me if this happens to you. I wish to confirm this with an actual case.
Share Your Experiences:
Please share your experiences with wuauclt.exe in our forums, especially if you have/had a version that was a trojan!
Also See:
External Links:
-
Windows Update (Microsoft)
About the Author: I am Matthew Doucette of Xona Games, an award-winning indie game studio that I founded with my twin brother. We make intensified arcade-style retro games. Our business, our games, our technology, and we as competitive gamers have won prestigious awards and received worldwide press. Our business has won $190,000 in contests. Our games have ranked from #1 in Canada to #1 in Japan, have become #1 best sellers in multiple countries, have won game contests, and have held 3 of the top 5 rated spots in Japan of all Xbox LIVE indie games. Our game engines have been awarded for technical excellence. And we, the developers, have placed #1 in competitive gaming competitions -- relating to the games we make. Read about our story, our awards, our games, and view our blog.