Prevx Research Division
ASPNET_STATE.EXE
WormFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove ASPNET_STATE.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Worm
- Malware Downloader
File Behavior
ASPNET_STATE.EXE has been seen to perform the following behavior:
- Drops known malicious software during execution
- Includes file creation code which could be used to test for interception by security products
- This process creates other processes on disk
- Executes a Process
- Enables an In Process Object/Server - Common with DLL Injections
- Adds a Registry Key (DELAY) to auto start Programs on system start up
- The Process is packed and/or encrypted using a software packing process
- Writes to another Process's Virtual Memory (Process Hijacking)
ASPNET_STATE.EXE has been the subject of the following behavior:
- Created as a new Background Service on the machine
- Executed as a Process
- Created by processes which appear to be checking for interception by security products
- Created as a process on disk
- Deleted as a process from disk
- Executed from Temporary Folders
Country Of Origin
The filename ASPNET_STATE.EXE was first seen on Sep 8 2007 in the following geographical regions of the Webroot community:
- Australia on Sep 8 2007
- Brazil on Sep 8 2007
- Italy on Mar 13 2008
- on Mar 28 2008
- Spain on Oct 21 2008
- Canada on Oct 21 2008
- Hong Kong on Jun 16 2009
- The United States on Jul 14 2009
- Europe on Oct 20 2009
- Vietnam on Oct 20 2009
- Turkey on May 15 2012
File Name Aliases
ASPNET_STATE.EXE can also use the following file names:
- VRT7.TMP
- M8|ASPNET_STATE.EXE
- IEXPIORE.EXE
- MSCORSVW.EXE
- VRT5E45.TMP
- VRTE80D.TMP
- VRT820B.TMP
- CLIPSRV.EXE
- AOLTSMON.EXE
- PRESENTATIONFONTCACHE.EXE
- MSCORLIB.DLL
- ݢD
- M4|17106759.EXE
- 01C936B26AAAF67C_FDCD2T_EXE.PE
- 01C9347C8448BE9E_INDEX[1].PE
- FL_ASPNET_STATE_EXE_____X86.3643236F_FC70_11D3_A536_0090278A1BB8
- 61062344.EXE
- 57204505.DAT
Filesizes
The following file size has been seen:
- 201,416 bytes
- 11,264 bytes
- 26,624 bytes
- 210,390 bytes
- 13,312 bytes
- 14,336 bytes
- 110,592 bytes
- 12,288 bytes
- 32,768 bytes
File Type
The filename ASPNET_STATE.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name ASPNET_STATE.EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
- Creates c:\windows\system32\sxmg4.dll
- Deletes c:\windows\system32\lt.res
- Creates c:\windows\system32\sft.res
- Deletes c:\9.tm
Website Activity
One or more files with the name ASPNET_STATE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1072 Port:16
- Port 80 IP:79.135.167.18
- Port 80 IP:91.203.93.49
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.