File Investigation Report
UU[n].EXEWorm
Your PC may be infected. The presence of a file called UU[n].EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including UU[n].EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Worm
File Behavior
UU[n].EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Executes a Process
- Copies files
- Creates a new Background Service on the machine
- Enables an In Process Object/Server - Common with DLL Injections
UU[n].EXE has been the subject of the following behavior:
- Executed as a Process
- Executed from Temporary Folders
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
Country Of Origin
The filename UU[n].EXE was first seen on Sep 6 2008 in the following geographical regions of the Prevx community:
- JAPAN on Sep 6 2008
- SPAIN on Sep 6 2008
- The UNITED KINGDOM on Oct 1 2008
File Name Aliases
UU[n].EXE can also use the following file names:
- UU[1].EXE
- 02538241.DAT
- TRU8.TMP
- NODB.TMP
- UU.EXE
- 72732418.DAT
Filesizes
The following file size has been seen:
- 109,568 bytes
- 38,958 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename UU[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name UU[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\rb.exe
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\mmvo.exe
- Copies filec:\windows\rb.exe to c:\windows\system32\mmvo.exe
- Deletes c:\windows\system32\mmvo0.dll
- Creates c:\windows\system32\mmvo0.dll
- Deletes c:\windows\rb.exe
- Deletes c:\awqlpyrd.co
- Copies filec:\windows\system32\mmvo.exe to c:\awqlpyrd.co
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\awqlpyrd.co
- Copies filec:\windows\system32\mmvo.exe to d:\awqlpyrd.co
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\uu.rar
- Deletes c:\windows\system32\ddr.ex
- Deletes c:\docume~1\user\locals~1\temp\mg12.tx
- Creates c:\docume~1\user\locals~1\temp\ba60_appcompat.txt
- Deletes c:\docume~1\user\locals~1\temp\help.ex
- Deletes c:\otyh.cm
- Copies filec:\windows\system32\ckvo.exe to c:\otyh.cm
- Deletes d:\otyh.cm
- Copies filec:\windows\system32\ckvo.exe to d:\otyh.cm
- Deletes c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\windows\system32\ckvo0.dl
- Opens/modifes c:\autoexec.bat
- Deletes c:\windows\system32\ddr.exe
- Creates c:\windows\system32\ddr.exe
- Deletes c:\windows\system32\Bitkv0.dll
- Creates c:\windows\system32\Bitkv0.dll
- Deletes c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\1BE98.dmp
- Deletes c:\windows\system32\ckvo.exe
- Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo0.dll
- Creates c:\windows\system32\ckvo0.dll
- Creates c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\windows\system32\ckvo1.dll
- Creates c:\windows\system32\ckvo1.dll
Registry Activity
One or more files with the name UU[n].EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mmva C:\WINDOWS\system32\mmvo.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kamsoft C:\WINDOWS\system32\ckvo.exe
Website Activity
One or more files with the name UU[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1089 Port:17
- Port 80 IP:60.169.1.92
- TCP:127.0.0.1:1090 Port:17
- Port 80 IP:221.1.204.243
- TCP:127.0.0.1:1093 Port:17
- TCP:127.0.0.1:1096 Port:17
- TCP:127.0.0.1:1099 Port:17
- TCP:127.0.0.1:1101 Port:17
- TCP:127.0.0.1:1104 Port:17
- TCP:127.0.0.1:1107 Port:17
- TCP:127.0.0.1:1109 Port:17
- TCP:127.0.0.1:1112 Port:17
- TCP:127.0.0.1:1115 Port:17
- TCP:127.0.0.1:1118 Port:17
- TCP:127.0.0.1:1121 Port:17
- TCP:127.0.0.1:1124 Port:17
- TCP:127.0.0.1:1127 Port:17