MS.EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Cloaked Malware
Malicious Software

File Behavior

MS.EXE has been seen to perform the following behavior:

Found on infected systems and resists interrogation by security products
Executes a Process
Copies files
This process creates other processes on disk
Performs DNS look ups to resolve URL IP addresses
Uses rootkit techniques to conceal its presence, interrogation or removal
Injects code into other processes
Uses low level functions to hide itself from the user and from system/security processes
Writes to another Process's Virtual Memory (Process Hijacking)
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
Creates a TCP port which listens and is available for communication initiated by other computers
Uses Instant Messaging to communicate without the user's knowledge
Uses embeded Instant Message Channel Settings
Modifies firewall settings, without user permission so it is not blocked from accessing the Internet
The Process is packed and/or encrypted using a software packing process

MS.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Copied to multiple locations on the system
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
Deleted as a process from disk

Country Of Origin

The filename MS.EXE was first seen on May 25 2007 in the following geographical regions of the Webroot community:

on May 25 2007
The United States on May 25 2007
Spain on Oct 1 2007
Belgium on Oct 1 2007
Malaysia on Nov 11 2009
India on Nov 11 2009
Russian Federation on Nov 23 2009
Indonesia on Nov 23 2009
Argentina on Dec 30 2009
Hungary on Feb 7 2011
Hong Kong on Feb 7 2011
The United Kingdom on Feb 13 2011
Venezuela on Feb 13 2011
Italy on May 19 2012

File Name Aliases

MS.EXE can also use the following file name:

MSHOST.EXE
WINDOWS 2008 SERVER KEYGEN.EXE
VIRUS MAKER.EXE
COUNTER-STRIKE KEYGEN.EXE
FTP CRACKER.EXE
RUNESCAPE 2008 - NEWEST EXPLOITS.EXE
ADOBE KEYGEN.EXE
VIRUS GENERATOR.EXE
MSN LIVE PASSWORD CRACKER.EXE
MYSPACE CRACKER.EXE
DEADSPACE KEYGEN.EXE
MICROSOFT VISUAL STUDIO 6 KEYGEN.EXE
DIVX PRO KEYGEN.EXE
STEAM ACCOUNT STEALER.EXE
AOL PASSWORD CRACKER.EXE
PHOTOSHOP KEYGEN.EXE
MSN HACKER 2008.EXE
MSN HACKER 2009.EXE
NORTON ANTI-VIRUS 2008 ENTERPRISE CRACK.EXE
KASPERSKY KEYGEN.EXE
NOD32 KEYGEN.EXE
TCPIP PATCH.EXE
MICROSOFT VISUAL BASIC 6 KEYGEN.EXE
LEFT4DEAD-STEAM-ONLINE-CRACK-WORKS-DECEMBER08.EXE
HOTMAIL CRACKER.EXE
MYSPACE BRUTEFORCE.EXE
WOW ACCOUNT CRACKER.EXE
WIDNOWS VISTA CRACK.EXE
WINDOWS XP CRACK.EXE
NOD32 CRACK.EXE
MICROSOFT VISUAL STUDIO 2008 KEYGEN.EXE
ICQ ACCOUNT CRACKER.EXE
YIM HACKER 2008.EXE
COUNTER-STRIKE SOURCE KEYGEN.EXE
AOL HACKER 2008.EXE
PHOTOSHOP CRACK.EXE
YIM HACKER 2009.EXE
AOL TRITON CRACKER.EXE
MICROSOFT VISUAL BASIC 2008 KEYGEN.EXE
MICROSOFT VISUAL C++ 6 KEYGEN.EXE
MYSPACE ATTACK.EXE
SHOST.EXE
ERASEME_47121.EXE
PROJECT 7 PRIVATE 4.8.EXE
RUNESCAPE GOLD EXPLOIT.EXE
HALF-LIFE 2 WORKS-ON-STEAM.EXE
PASSWORD CRACKER.EXE
RUNESCAPE CRACKER.EXE
HOTMAIL HACKER.EXE
MICROSOFT VISUAL C++ 2008 KEYGEN.EXE
AOL INSTANT MESSENGER (AIM) CRACKER.EXE
KASPERSKY CRCK.EXE
KASPERSKY 2009 FULL SUITE CRACK.EXE
ADOBE PHOTOSHOP CS4 KEYGEN.EXE
ADOBE PHOTOSHOP KEYGEN.EXE
ADOBE PHOTOSHOP CRACK.EXE
ADOBE PHOTOSHOP CS3 KEYGEN.EXE
LIMEWIRE PRO DOWNLOADER.EXE
AOL HACKER 2009.EXE
SERV8.EXE
BNET.EXE
SERV.EXE
GGDRIVE32.EXE.DEL
GGDRIVE32.EXE
MSHOST.EXE.DEL
MS[1].EXE
OT1[1].EXE
DQ.EXE
MSHOST.EXE.42A9
OT1.EXE
OT1_001.EXE
73438668.EXE

Filesizes

The following file size has been seen:

89,600 bytes
61,440 bytes
172,032 bytes
58,137 bytes
155,328 bytes
178,176 bytes
16,384 bytes

File Type

The filename MS.EXE is used by multiple object types including executable programs,objects.

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

MS.EXE