Update with htm files.
Hello everyone.
I have a vendor msi, which installs fine. After I open the application it automatically checks for software updates. If the version is old it installs the update files into a folder. The update files are stored in a very strange format. They are stored in htm files, and the maximum size of each one is 1,954kb. The first update contains 6.34mb worth of these files. The 2nd is 21mb.
After the update downloads the htm files it then ask, "Do you want me to install downloaded files" I say yes and it takes off. I used process monitor to watch it.
onlineupdate.exe -- silentupdate (This checks the version, and then starts the download. It runs every start up of the application)
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dyguni68.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2A.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC29.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\w734nu-t.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2C.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2B.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dpmjzv1d.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2E.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2D.tmp"
C:\WINDOWS\System32\logon.scr /s
"C:\WINDOWS\system32\defrag.exe" -p 3fc -s 00000E9C -b C:
DfrgNtfs.exe -Embedding
So, this is the update process. My guess, whatever program is running the update, extracts the htm files to the temp folder as .tmp files and runs them with .net framework.
Has anyone ever seen anything like this? Any recomendations I should try? For now I guess i'm going to try to capture those.tmp files and play with those above command lines.
Thanks in advance
-magnum
I have a vendor msi, which installs fine. After I open the application it automatically checks for software updates. If the version is old it installs the update files into a folder. The update files are stored in a very strange format. They are stored in htm files, and the maximum size of each one is 1,954kb. The first update contains 6.34mb worth of these files. The 2nd is 21mb.
After the update downloads the htm files it then ask, "Do you want me to install downloaded files" I say yes and it takes off. I used process monitor to watch it.
onlineupdate.exe -- silentupdate (This checks the version, and then starts the download. It runs every start up of the application)
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dyguni68.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2A.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC29.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\w734nu-t.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2C.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2B.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dpmjzv1d.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2E.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2D.tmp"
C:\WINDOWS\System32\logon.scr /s
"C:\WINDOWS\system32\defrag.exe" -p 3fc -s 00000E9C -b C:
DfrgNtfs.exe -Embedding
So, this is the update process. My guess, whatever program is running the update, extracts the htm files to the temp folder as .tmp files and runs them with .net framework.
Has anyone ever seen anything like this? Any recomendations I should try? For now I guess i'm going to try to capture those.tmp files and play with those above command lines.
Thanks in advance
-magnum
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
aogilmor
16 years ago
ORIGINAL: kjk3407
Hello everyone.
I have a vendor msi, which installs fine. After I open the application it automatically checks for software updates. If the version is old it installs the update files into a folder. The update files are stored in a very strange format. They are stored in htm files, and the maximum size of each one is 1,954kb. The first update contains 6.34mb worth of these files. The 2nd is 21mb.
After the update downloads the htm files it then ask, "Do you want me to install downloaded files" I say yes and it takes off. I used process monitor to watch it.
onlineupdate.exe -- silentupdate (This checks the version, and then starts the download. It runs every start up of the application)
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dyguni68.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2A.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC29.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\w734nu-t.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2C.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2B.tmp"
"C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Documents and Settings\username\Local Settings\Temp\dpmjzv1d.cmdline"
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\DOCUME~1\username\LOCALS~1\Temp\RES2E.tmp" "c:\Documents and Settings\username\Local Settings\Temp\CSC2D.tmp"
C:\WINDOWS\System32\logon.scr /s
"C:\WINDOWS\system32\defrag.exe" -p 3fc -s 00000E9C -b C:
DfrgNtfs.exe -Embedding
So, this is the update process. My guess, whatever program is running the update, extracts the htm files to the temp folder as .tmp files and runs them with .net framework.
Has anyone ever seen anything like this? Any recomendations I should try? For now I guess i'm going to try to capture those.tmp files and play with those above command lines.
That is a very strange way to update an application. what kind of app is it? Also I find it suspicious that it launches defrag.exe and logon.scr (which can contain malicious code). See if you can get to the point where before it asks you to update the app, if you can just get those compressed htm files (more strangeness)...and look at what is in them.
Posted by:
anonymous_9363
16 years ago
I'd bet those HTMs are actually XML files, disguised with a different extension...
I'd also share Owen's concern about the other EXEs they're running. Vendors have no place running defrag on my workstations, thank you! And as for LOGON.SCR...it beggars belief, it really does. I'd be having serious words with them, if I were you.
I'd also share Owen's concern about the other EXEs they're running. Vendors have no place running defrag on my workstations, thank you! And as for LOGON.SCR...it beggars belief, it really does. I'd be having serious words with them, if I were you.
Posted by:
kjk3407
16 years ago
The application is a planning and marketing tool. I made a mistake on the defrag and logon.scr capture. I allowed the screensaver to come on before ending the capture. And our disk defrager is set to run on screensaver mode. My apologies for that. So, I opened the htm file and this is what is contained in it:
ÆÒA PK (^*7çI¬ ó serialization…QÑNÂ0 }7ñ¬–¾³¶àI)QˆÆ ³ –˜¦Ü±Æ¬%mqà×;•1 câã9çžžÛsÙüXäÃÂX§Œž! €–f«ônâ€Â
> LÃÂœ_^°[kÅé%½W9<êÔ •M»éÑ© ʼßO1.Ë2,G¡±;’Ù ¼ƒøSŠÓ$Ϛ ü òK ‚™Raä%äWÀõ ÌŒÞ^°]¬t3 0ÂÂÓo‚úIÃ[³T2’•NèÛñ¦¾ „‹ ˜ÂÂÇ á.îüáµÃµf‹ŅõêV¬ G ¢ÂˆY†€ ~¡fTñ|jI7`£7(¶¯¬ûÙšU `1cºÈ¸a§¯D‚ì9_¶ÿ«
>g7ÂÂ
¨J¦^h1ôDÕõ ¿bÀü X²Öº(Ž¢ ÃÂd£JƤ}/ÀZµ£ow œI1c€ =Þ5Éá MÃÂÂ4=¶³T²|²áHÀÉiˆV§ “ð G42 µ3.âîE€¨Ó‹ý\,¬e;-$a 4ÑÂÂÉìQ†‡Ù>8ÃÂÂÂÑ r£¾JXÈŸÃÂm Uö³¡a
Þ]¬’ö êø öª¼^ÃÂG ^J¨ìDX…ô9Š“þ FUœpìE5~ˆ) ¾/ÿ© ? ¦ „×+ùœŒ¬žhÂÂ2ÂÂցVöÂÂê’®¨|qÃ…Â jk4ïâÂÂÀ §Æ^I º@ â€ÂQ‡´|ÂÂwøa{. ³
ßt]Óu߬)±½*RÃúün„½Õ sw5Žžüöw•4àØ^ÂÂå¾p kmÜã†t è÷Ž Âf×þ j{•˜;Ã…Â’ ¯Ûÿ†?V› @¹ÿô8Š¬Ò-[äO»´{’œ ; –R° ÄOÚŒ¬ò|¢OÃ7¾ Ó ¥½1ÂÂUX±ý¹ª?qbzÃÂæ[| Þ¯I…
ÖüùÈöê8OÞ‚¶ «_+À {´^èøæ«j)ÃÂWÅ‹©7Gï€9 ¾`:òµ½r •~à €lÊ€ïK Ö —_ÃÂ⬖€òΦ¤[;Ëß ¬>¼)naÂ¥_Èb°Œ]ô¶÷êd {/ ¾_]äÛËS£8â€ÂÃäÖ›ØÂÂg ¹iýtV RêXò à ¤D’¶Â¡1²Ì€ ¾¦ ÿ “| “¬ )(Ã…Â ;邵[®¨¬ý`óºÇ˜×"»ÛÒ(/Ô'6Ò¾Çu ë °Ã ˆz +Jú ÃÂåô$£TX ¾ x|Ȭfâw=¬“fbõxY¤ ]¢þ¹e ‚I–¥aÞ„
Ÿ wî ᥽ÂÒèŒ,à^(€ â€ÂQº > Ü •óý¢°ØgÀV¶ïB ÂÂÔ#>ˆQªüeÔÂ*ú±€›¤A} M‘ o‘ W‘‘ ,¯öÛ £Ñ°yµ¼é¬*ÃÂW ÇLa7wFn<ÂTÿˆ?“©¯LÛ" +ë¤ÇJJV½Dâ˜U0iƒRæè „ÿ°syv ÂÂê
à•Pc=Ô/ Ê€õàô8Ôh ÃH‚ÔiHá Ç ãäcƒªË
S{®ýá ¹î&ý VÈÂÂJé ÂÂ7jé‰Ç»£ï÷Ÿ G-¬G ª •_„ÃÂë}¿ÿõ\¨¤¤¬¹¯¬k ÂÂÓØýû…A*sþ¾Ù‘uø|~0ÂÂÿè\s6…»ƒA‡ÎsVé9¢éC‚ˆ ï§Sq„†¬ J;šù »±Xð
BÜQû‹¦«¼ô´Ã½øÇ‘É_ÃÂün×Þô=
ç,801õ xœtN¹ã@wùìSÄù Å úÈ—ÃÂÃ…Â l ~¹ûUžk~ˆ¯ºµ ¦n{+6nì ÔOà÷ûË9™Òm ³\ nQ•¦]H( OG ÃÂötÿÃá«¿ô¥àÂÂÂÂÇöÙMÀåi ™Ÿ¿xEÞŒ¶™ zãŠn_Å)òç?î LÖ¼‚„ ÂÂçÃÂþ+àùHàÊ# £ˆý
Êšv! ª—ð|«c(ÂÂ5š‚F
½ d¯ ×ÃÂܼD6ÇÓØ{uÃÂ||%ýÇb(w»0 ³ÞL¿áÖ Ī‰/ Â¥ õ !m!Ã¥NÛ®G}µÃÂ2vú/ÅÇm¶ÓžÛº_'¦E{¬„ÃÂÅ¡ Ž +pÌ7âÂX Ç
j+Üg"I¸ ,SþÕÂÒAÔ {1ÂÂ9}ºW¬ æ¢ÿÈðÜ…
8ÄÂÂ’¸ Ø$½áÃÂ::@À Û¢¡kÕ g;æ_™¬µ€ÂÂÂÃ…6 «BÊ}t
That is just a small portion of the update. There are 26 mb's of this code.
ÆÒA PK (^*7çI¬ ó serialization…QÑNÂ0 }7ñ¬–¾³¶àI)QˆÆ ³ –˜¦Ü±Æ¬%mqà×;•1 câã9çžžÛsÙüXäÃÂX§Œž! €–f«ônâ€Â
> LÃÂœ_^°[kÅé%½W9<êÔ •M»éÑ© ʼßO1.Ë2,G¡±;’Ù ¼ƒøSŠÓ$Ϛ ü òK ‚™Raä%äWÀõ ÌŒÞ^°]¬t3 0ÂÂÓo‚úIÃ[³T2’•NèÛñ¦¾ „‹ ˜ÂÂÇ á.îüáµÃµf‹ŅõêV¬ G ¢ÂˆY†€ ~¡fTñ|jI7`£7(¶¯¬ûÙšU `1cºÈ¸a§¯D‚ì9_¶ÿ«
>g7ÂÂ
¨J¦^h1ôDÕõ ¿bÀü X²Öº(Ž¢ ÃÂd£JƤ}/ÀZµ£ow œI1c€ =Þ5Éá MÃÂÂ4=¶³T²|²áHÀÉiˆV§ “ð G42 µ3.âîE€¨Ó‹ý\,¬e;-$a 4ÑÂÂÉìQ†‡Ù>8ÃÂÂÂÑ r£¾JXÈŸÃÂm Uö³¡a
Þ]¬’ö êø öª¼^ÃÂG ^J¨ìDX…ô9Š“þ FUœpìE5~ˆ) ¾/ÿ© ? ¦ „×+ùœŒ¬žhÂÂ2ÂÂցVöÂÂê’®¨|qÃ…Â jk4ïâÂÂÀ §Æ^I º@ â€ÂQ‡´|ÂÂwøa{. ³
ßt]Óu߬)±½*RÃúün„½Õ sw5Žžüöw•4àØ^ÂÂå¾p kmÜã†t è÷Ž Âf×þ j{•˜;Ã…Â’ ¯Ûÿ†?V› @¹ÿô8Š¬Ò-[äO»´{’œ ; –R° ÄOÚŒ¬ò|¢OÃ7¾ Ó ¥½1ÂÂUX±ý¹ª?qbzÃÂæ[| Þ¯I…
ÖüùÈöê8OÞ‚¶ «_+À {´^èøæ«j)ÃÂWÅ‹©7Gï€9 ¾`:òµ½r •~à €lÊ€ïK Ö —_ÃÂ⬖€òΦ¤[;Ëß ¬>¼)naÂ¥_Èb°Œ]ô¶÷êd {/ ¾_]äÛËS£8â€ÂÃäÖ›ØÂÂg ¹iýtV RêXò à ¤D’¶Â¡1²Ì€ ¾¦ ÿ “| “¬ )(Ã…Â ;邵[®¨¬ý`óºÇ˜×"»ÛÒ(/Ô'6Ò¾Çu ë °Ã ˆz +Jú ÃÂåô$£TX ¾ x|Ȭfâw=¬“fbõxY¤ ]¢þ¹e ‚I–¥aÞ„
Ÿ wî ᥽ÂÒèŒ,à^(€ â€ÂQº > Ü •óý¢°ØgÀV¶ïB ÂÂÔ#>ˆQªüeÔÂ*ú±€›¤A} M‘ o‘ W‘‘ ,¯öÛ £Ñ°yµ¼é¬*ÃÂW ÇLa7wFn<ÂTÿˆ?“©¯LÛ" +ë¤ÇJJV½Dâ˜U0iƒRæè „ÿ°syv ÂÂê
à•Pc=Ô/ Ê€õàô8Ôh ÃH‚ÔiHá Ç ãäcƒªË
S{®ýá ¹î&ý VÈÂÂJé ÂÂ7jé‰Ç»£ï÷Ÿ G-¬G ª •_„ÃÂë}¿ÿõ\¨¤¤¬¹¯¬k ÂÂÓØýû…A*sþ¾Ù‘uø|~0ÂÂÿè\s6…»ƒA‡ÎsVé9¢éC‚ˆ ï§Sq„†¬ J;šù »±Xð
BÜQû‹¦«¼ô´Ã½øÇ‘É_ÃÂün×Þô=
ç,801õ xœtN¹ã@wùìSÄù Å úÈ—ÃÂÃ…Â l ~¹ûUžk~ˆ¯ºµ ¦n{+6nì ÔOà÷ûË9™Òm ³\ nQ•¦]H( OG ÃÂötÿÃá«¿ô¥àÂÂÂÂÇöÙMÀåi ™Ÿ¿xEÞŒ¶™ zãŠn_Å)òç?î LÖ¼‚„ ÂÂçÃÂþ+àùHàÊ# £ˆý
Êšv! ª—ð|«c(ÂÂ5š‚F
½ d¯ ×ÃÂܼD6ÇÓØ{uÃÂ||%ýÇb(w»0 ³ÞL¿áÖ Ī‰/ Â¥ õ !m!Ã¥NÛ®G}µÃÂ2vú/ÅÇm¶ÓžÛº_'¦E{¬„ÃÂÅ¡ Ž +pÌ7âÂX Ç
j+Üg"I¸ ,SþÕÂÒAÔ {1ÂÂ9}ºW¬ æ¢ÿÈðÜ…
8ÄÂÂ’¸ Ø$½áÃÂ::@À Û¢¡kÕ g;æ_™¬µ€ÂÂÂÃ…6 «BÊ}t
That is just a small portion of the update. There are 26 mb's of this code.
Posted by:
anonymous_9363
16 years ago
dyguni68.cmdline
ORIGINAL: kjk3407So, not HTML or XML, then!
I opened the htm file and this is what is contained in it:
ÆÒA PK (^*7çI¬ ó serialization…QÑNÂ0 }7ñ¬–¾³¶àI)QˆÆ ³ –˜¦Ü±Æ¬%mqà×;•1
<snip>
That is just a small portion of the update. There are 26 mb's of this code.
I presume you posted because you want to prevent the update process? All I can suggest is that you contact the vendor, as (I hope) it's unlikely your users will have appropriate rights to update files on workstations.
Posted by:
kjk3407
16 years ago
Interesting. Well thats fine I can contact the vendor, although it is a freeware program. So, I was a little hesitant about contacting the vendor. Suprisingly enough the update process allows users with strictly user rights to update the software.
The update process simply adds files to the directories of the program, but there is a catch. After the files are updated, added, or replaced they are somehow registered with the program itself. Not like a windows registration, well that's theory one. Or theory two states that the update process creates specific .dll files according to who is logged in. I am not sure.
I don't know if it would be a good idea to let the users update the software. It seems like it might be a security risk.
I guess I could simply remove the online.exe component from the installation to pervent it from running, but I can't seem to incorporate the update before doing so.
Well im off to email the vendor.
The update process simply adds files to the directories of the program, but there is a catch. After the files are updated, added, or replaced they are somehow registered with the program itself. Not like a windows registration, well that's theory one. Or theory two states that the update process creates specific .dll files according to who is logged in. I am not sure.
I don't know if it would be a good idea to let the users update the software. It seems like it might be a security risk.
I guess I could simply remove the online.exe component from the installation to pervent it from running, but I can't seem to incorporate the update before doing so.
Well im off to email the vendor.
Posted by:
kjk3407
16 years ago
I'm just going to turn off automatic updates and the vendor will send us a CD once a year to update with.
Posted by:
AngelD
16 years ago
Sounds to me that the file is actually a compressed file of some sort, rename it to .zip and open it again.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.