The German computer magazine CT (English translation using google translate) analyzed the new WGA Notification that is installed during Windows Update. They decided to cancel the installation and immediately after doing so the firewall reported that update.exe tried to connect to the internet. This caught their attention of course and they decided to analyze the data that was send after the connection was established.
They used Wireshark to analyze the traffic and found out that update.exe sends data to genuine.microsoft.com. Some of the data seems to be encrypted while some could be identified. It sends registry information, namely the SusClientID as well as information about the version of the WGA tool, the windows version and the language of the operating system. It also sets a cookie which contains a GUID which could possibly be used to identify the computer.
View: Full Article @ gHacks.net
43 Comments - Add comment