File Investigation Report
3913574.EXEMalware Dropper
Your PC is infected. The file called 3913574.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including 3913574.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
- Malware Dropper
- Cloaked Malware
- Worm
File Behavior
3913574.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Registers a Dynamic Link Library File
- Opens browser pop ups
- Creation and Registration of a Browser Helper Object in Internet Explorer
- This Process Creates Other Processes On Disk
3913574.EXE has been the subject of the following behavior:
- Executed as a Process
- Downloaded from covert web sites without the user knowing
- Created as a process on disk
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Executed from Temporary Folders
Country Of Origin
The filename 3913574.EXE was first seen on Jun 18 2008 in the following geographical regions of the Prevx community:
- GERMANY on Jun 18 2008
- The UNITED KINGDOM on Jun 18 2008
- SPAIN on Jul 21 2008
- NETHERLANDS on Oct 7 2008
File Name Aliases
3913574.EXE can also use the following file names:
- 3913574[1].EXE
- 15085879.SVD
- HGNTYSH.TMP
- 83210188.EXE
- 1.EXE
- MSUPDTE.EXE
- 17679001.SVD
- 68337798.EXE
- 35068821.DAT
- 09075222.SVD
- VKYVEPF.TMP
Filesizes
The following file size has been seen:
- 66,055 bytes
- 68,615 bytes
- 39,943 bytes
- 94,215 bytes
- 48,135 bytes
- 14,848 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename 3913574.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name 3913574.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\ksadio.dll
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\000006e000000f2c.ur
- Deletes c:\docume~1\user\locals~1\temp\000006e000000f2c.ur
Registry Activity
One or more files with the name 3913574.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Bind comment 3913574
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\brittany5554945@live.co.uk usertileurl http://byfiles.storage.msn.com/static/19
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\brittany5554945@live.co.uk idtiletimestamp 2008-04-17T11:29:02.000000-00:00
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom ZoomFactor [REG_DWORD, value: 000186A0]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F UserFile [REG_BINARY, size: 79044 bytes]
Website Activity
One or more files with the name 3913574.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1093 Port:26
- Port 80 IP:77.92.88.21
- Port 80 IP:64.233.167.99
- Port 80 IP:66.249.93.104
- Port 80 IP:66.249.93.147