It has been a while since I have posted but this one is too good to pass up. Every night around 10:30 p.m., my computer is set up to run a VerifyMyPC scan. About 11 p.m. the Scan Notifier runs and does the whole balloon pop-up thing. Normally nothing pops up because there is nothing to report (i.e. another day at the office - figuratively speaking).

When there is something to report, usually a little yellow triangle icon shows up and I say, "Yup, I remember doing that today." Or, "Those changes to my system sound about right."

Tonight, the special analysis mode of the Scan Notifier picked up on unusual behavior and popped up the Red-X icon.

If Microsoft ever wanted to get caught with their pants down, they succeeded. For most people, the above doesn't make a whole lot of sense past the "you might have a virus" part. VerifyMyPC requires a little extra knowledge about computer systems when dealing with the details. Google is your friend in these cases. Running searches for 'wups.dll' and 'wups2.dll' turns up something about Automatic Updates. In particular, those DLLs provide Automatic Update functionality for Windows.





In other words, the Automatic Updates utility automatically updated itself. Now this might not seem like a big deal but I have automatic updates set to manual (both download and installation have to be approved by me) and not the usual 'automatic' setting found on most user PCs. In other words, Windows updated itself without my express permission. Such behavior is right in line with spyware-like activity. Thus, VerifyMyPC is doing an accurate job in reporting such behavior to me. I love VerifyMyPC.





It is also interesting to note that Microsoft pushed out an update to Automatic Updates on a day other than the 2nd Tuesday of the month (also known as "Patch Tuesday").



Edit: The above image actually indicates that those files were 'added'. Drilling down, it shows that they were added to 'C:\WINDOWS\LastGood\system32\'. While 'wups.dll' and 'wups2.dll' were NOT modified, other files that are in the real system32 directory ('C:\WINDOWS\system32') WERE modified. What follows is a snippet of each file that was added and changed (files with the same name have been grouped together to help make it obvious that a virus or other piece of malware wasn't involved - malware authors wouldn't bother to copy the files to the "Last Known Good" configuration):





Add (Important)

C:\WINDOWS\LastGood\system32\cdm.dll (90.33KB)

Hash: 4E 68 B2 C4 4D F7 D2 58 16 8C 99 2C BA EC E9 95 53 33 05 86 C2 81 3B F4 B9 27 87 7C 0B 5B 51 A5



Change (Critical)

C:\WINDOWS\system32\cdm.dll (90.33KB)

New Hash: F2 2D 36 39 25 2C 01 76 40 0B 49 B3 06 2E B0 18 4B F1 F6 66 34 DD C7 F8 FD 69 73 23 9B CD 5B 98

Old Hash: 4E 68 B2 C4 4D F7 D2 58 16 8C 99 2C BA EC E9 95 53 33 05 86 C2 81 3B F4 B9 27 87 7C 0B 5B 51 A5



Add (Important)

C:\WINDOWS\LastGood\system32\wuapi.dll (536.83KB)

Hash: 07 A5 AF 93 9A 1D 28 5F 5B 08 BC 43 9B E5 57 EF 00 1C 4A D6 D9 E3 92 10 33 B2 D7 B9 E9 2C 42 C0



Change (Critical)

C:\WINDOWS\system32\wuapi.dll (536.83KB)

New Hash: C6 D8 44 CF CF BE 21 DA D0 3A 6E 75 7A A7 7B 06 DC 4E 3E 06 06 41 8B F9 E7 9D 91 13 29 17 5E C0

Old Hash: 07 A5 AF 93 9A 1D 28 5F 5B 08 BC 43 9B E5 57 EF 00 1C 4A D6 D9 E3 92 10 33 B2 D7 B9 E9 2C 42 C0





Add (Important)

C:\WINDOWS\LastGood\system32\wuauclt.exe (51.83KB)

Hash: A4 21 0C 3D 8A 99 75 97 E5 67 0B FA C2 46 6E 6A 0A FD C8 9B 2F 2F 6F 9C E5 88 63 3F 92 67 A5 9A



Change (Critical)

C:\WINDOWS\system32\wuauclt.exe (51.83KB)

New Hash: 46 DA FC 71 5B C2 BC BF D5 6A 3B 2B C3 DF 1D D2 C0 36 89 3E AB 2E 4F D6 E4 39 3E 08 10 54 D5 0D

Old Hash: A4 21 0C 3D 8A 99 75 97 E5 67 0B FA C2 46 6E 6A 0A FD C8 9B 2F 2F 6F 9C E5 88 63 3F 92 67 A5 9A





Add (Important)

C:\WINDOWS\LastGood\system32\wuaucpl.cpl (211.33KB)

Hash: 68 10 5C D1 BA 1D 73 48 02 31 DE 4C C0 F3 08 CF 15 3E EC 5B C9 F4 4D 2C 22 D0 D6 03 D8 59 C1 99



Change (Critical)

C:\WINDOWS\system32\wuaucpl.cpl (211.33KB)

New Hash: C4 0D 02 69 98 E1 9F 23 9F F9 5A 55 C1 33 4A E4 70 5A 8B 92 BF 4D DD F0 E4 42 3E 4F DA E9 D0 DA

Old Hash: 68 10 5C D1 BA 1D 73 48 02 31 DE 4C C0 F3 08 CF 15 3E EC 5B C9 F4 4D 2C 22 D0 D6 03 D8 59 C1 99





Add (Important)

C:\WINDOWS\LastGood\system32\wuaueng.dll (1.63MB)

Hash: 47 4F E9 97 52 0A 5C EC B5 CD ED 16 2B 32 49 61 AE 43 27 84 B1 82 11 66 6D D4 51 70 8A E6 C4 CD



Change (Critical)

C:\WINDOWS\system32\wuaueng.dll (1.63MB)

New Hash: 43 C2 26 22 FF C5 7E 8C 4F 54 C0 58 DA 30 D8 EA 57 BC 28 FF 43 CC 5C 85 17 DE C2 47 FF 2E 71 2A

Old Hash: 47 4F E9 97 52 0A 5C EC B5 CD ED 16 2B 32 49 61 AE 43 27 84 B1 82 11 66 6D D4 51 70 8A E6 C4 CD





Add (Important)

C:\WINDOWS\LastGood\system32\wucltui.dll (318.33KB)

Hash: 15 1D 34 E5 A4 3A CC DA B4 93 86 50 A0 99 70 6A 6B 6C 8E A5 D2 C5 83 25 EF 36 D1 AA 3B 46 9F 7B



Change (Critical)

C:\WINDOWS\system32\wucltui.dll (318.33KB)

New Hash: 51 12 24 6C 7B 09 54 21 ED 41 FA 90 B4 E8 CE 9D 00 3C DF A9 2F B1 DF 71 89 B8 CE 68 2D 8A 63 F7

Old Hash: 15 1D 34 E5 A4 3A CC DA B4 93 86 50 A0 99 70 6A 6B 6C 8E A5 D2 C5 83 25 EF 36 D1 AA 3B 46 9F 7B





Add (Important)

C:\WINDOWS\LastGood\system32\wups.dll (32.83KB)

Hash: E2 E1 5F 1C FB 8D 3F 38 15 89 F4 A1 05 6C 7C 22 6B 6A 54 EA 9A D4 FE 49 77 CE B4 96 8D EF 8E BF



Add (Important)

C:\WINDOWS\LastGood\system32\wups2.dll (42.33KB)

Hash: EF F0 03 E7 79 2B 94 C2 F5 3D 90 07 FB 9D 71 AD 2E 2D 3F 00 BB 8E B9 59 16 C3 F5 21 04 D9 7E FA



Add (Important)

C:\WINDOWS\LastGood\system32\wuweb.dll (198.33KB)

Hash: 12 72 88 FA C2 76 75 C4 51 69 A2 E3 BC B6 94 4B B3 91 C8 49 78 BC 2F DE 85 C5 B2 C4 2B D3 7B 93



Change (Critical)

C:\WINDOWS\system32\wuweb.dll (198.33KB)

New Hash: 5F B2 3D 83 EE 94 20 A6 0F 23 8F BF 5F 7E DD BC A6 8F 9A 9A CE 35 A8 F9 64 AF 88 A9 4D 4B E0 7C

Old Hash: 12 72 88 FA C2 76 75 C4 51 69 A2 E3 BC B6 94 4B B3 91 C8 49 78 BC 2F DE 85 C5 B2 C4 2B D3 7B 93



(The rest of the files have a .mui file extension and MUI apparently stands for "Multilingual User Interface" - probably just a bunch of language strings).



Change (Critical)

C:\WINDOWS\system32\wuapi.dll.mui (25.33KB)

New Hash: 42 46 98 4C AE 03 50 61 F4 E9 69 7A A2 38 A4 4B B3 A8 40 F1 39 3F 71 A7 92 78 42 28 5F 8F B9 33

Old Hash: 73 B4 BB 37 D4 FF 47 0B 61 78 73 AA 43 24 12 27 2C D4 B3 B2 9C 8E 6A 26 A6 78 1E A7 08 25 B5 36





Change (Critical)

C:\WINDOWS\system32\wuaucpl.cpl.mui (25.33KB)

New Hash: B1 6B F1 A9 5F 88 6F B1 8E B3 60 E6 42 2B AF B1 00 2D 9C 8A F1 17 C8 0D 6D 0E 23 24 6C CA 60 D4

Old Hash: EF E0 8D 82 AE F1 56 9B 55 C7 B6 CD CE 28 80 3F B7 26 20 84 EF 5C 4B 69 40 17 9C 4E 2F 67 97 58





Change (Critical)

C:\WINDOWS\system32\wuaueng.dll.mui (19.83KB)

New Hash: D9 B6 D9 FB 33 EA CB F3 DA 38 19 86 62 FE 70 16 6E 74 BC DC 4A 67 AD 24 A3 8A F8 8C 23 42 BA FB

Old Hash: D0 19 EC DA 02 E1 9F FD 30 C4 F4 06 90 A5 0F 97 76 59 81 B2 3A F1 BE AD 60 47 25 E5 63 7C 33 9B





Change (Critical)

C:\WINDOWS\system32\wucltui.dll.mui (33.33KB)

New Hash: 22 93 81 37 4F A2 81 38 D4 FC FB 07 69 A2 1F 6A 5D C5 7A 5C 44 78 F4 75 C0 3C 04 DC 6A 9C 45 B0

Old Hash: E3 BD 08 48 2F BF 98 68 AF 78 C9 17 A4 1B 1C 4E AD 64 D3 18 ED C5 06 BB 87 A2 93 52 2A A1 C5 F3



So there are plenty of other actual changes to Automatic Updates to back up my claim.



Also, while wups.dll and wups2.dll were not changed, it is pretty apparent that they were included in the update as they were backed up into the last good configuration directory...as if they were going to be changed. Also, VerifyMyPC only reports changes to files that have signature (hash) changes. A hash is a one-way cryptographic thumbprint of a file. If you want to verify the above you will need a tool capable of performing a SHA-256 hash and a computer you didn't reboot (last good configurations tend to vanish after a successful boot).



You should also keep in mind that there are Windows APIs to alter timestamps of files. Just because a file says it hasn't been modified or accessed since 2004 doesn't mean it hasn't been.

Update Sept. 14, 2007: Microsoft finally responded after some major publications also realized secret Windows Updates were pushed out...almost three weeks after I posted this. Here is the : Microsoftresponded after some major publications also realized secret Windows Updates were pushed out...almost three weeks after I posted this. Here is the official response

To this I say: "That is a bunch of baloney". If Microsoft wants to update Windows Update components, I want the choice to update that. The "Download and Install Notifications" option implicitly includes all updates. In my mind, the Windows Update utility itself is part of that 'all'. Don't update my system secretly. Ever.

And Microsoft still hasn't come forward to explain why the WGA servers went down. My guess is that would still be pretty embarrassed at this point to try to explain that " because they pushed out a secret update to Windows Update, WGA went down ".

While I generally accept updates to Windows, I still want complete control over the entire process. The biggest problem I see with secretly updating is that it usually entails a reboot. I rarely reboot and if my system reboots while I'm in the middle of something, I will potentially lose a lot of work not to mention the time involved in bringing up all 20-30 programs I was running before the reboot. Secret updates might be followed by random shutdowns and reboots.

Did I ever mention that I love VerifyMyPC ? Oh wait. Never mind. I did that already.