Prevx Research Division
20.TMP
Banking Info StealerFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove 20.TMP.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Banking Info Stealer
- Targeted Information Stealer
- Cloaked Malware
- Worm
- Malware Downloader
File Behavior
20.TMP has been seen to perform the following behavior:
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Deletes Other Processes From Disk
- The Process is packed and/or encrypted using a software packing process
- This process creates other processes on disk
- Can communicate with other computer systems using HTTP protocols
- Executes a Process
- Registers a Dynamic Link Library File
- Downloads hidden code from covert web sites
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
- Found on infected systems and resists interrogation by security products
- Disables the built in Windows File Protection System
- Creates new folders in the file system
- Creates a new Background Service on the machine
20.TMP has been the subject of the following behavior:
- Executed from Temporary Folders
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Executed as a Process
- Created as a process on disk
- Created as a new Background Service on the machine
- Loaded and Executed as a System Driver File
- Registered as a Dynamic Link Library File
- Added as a Registry Key (RUNONCE) to auto start Programs on system start up
- Deleted as a process from disk
- Copied to multiple locations on the system
Country Of Origin
The filename 20.TMP was first seen on Jun 24 2007 in the following geographical regions of the Webroot community:
- The United States on Jun 24 2007
- Spain on Jun 19 2008
- Canada on Jun 19 2008
- Norway on Oct 18 2008
- Mexico on Dec 5 2009
- The United Kingdom on Dec 5 2009
- Turkey on May 19 2012
File Name Aliases
20.TMP can also use the following file names:
- SOFT4[1].EXE
- XAR2001V7[1].EXE
- ADWORDS[n].EXE
- NTOS.EXE
- PO[1].EXE
- 8.TMP
- 3.TMP
- C.TMP
- 1.TMP
- 25.TMP
- 1A.TMP
- 35.TMP
- 2B.TMP
- 29.TMP
- 19.TMP
- 3F.TMP
- 63.TMP
- 43.TMP
- C1.TMP
- 9F.TMP
- 6E.TMP
- 14.TMP
- 17.TMP
- 9A.TMP
- CF.TMP
- 15.TMP
- 198.TMP
- DC309.TMP
- 618.TMP
- 627.TMP
- 2C8.TMP
- 466B.TMP
- 138.TMP
- 253.TMP
- 127.TMP
- 374.TMP
- 1108.TMP
- 1A1.TMP
- 130.TMP
- 8F1.TMP
- A27.TMP
- 16314362.TMP
Filesizes
The following file size has been seen:
- 401,408 bytes
- 10,316 bytes
- 25,088 bytes
- 318,464 bytes
- 379,392 bytes
- 19,968 bytes
- 49,152 bytes
File Type
The filename 20.TMP is used by multiple object types including executable programs,objects,Dynamic Link LIbraries.
File Activity
One or more files with the name 20.TMP creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\system32\wsnpoem
- Deletes c:\windows\system32\ntos.exe
- Opens/modifes c:\autoexec.bat
- Creates c:\windows\system32\wsnpoem\video.dll
- Deletes c:\windows\system32\wsnpoem\video.dll
- Moves c:\windows\system32\wsnpoem\video.dll to c:\windows\system32\wsnpoem\video.dll
Website Activity
One or more files with the name 20.TMP interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Port 80 IP:91.203.68.3
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.