NEW FOLDER .EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Information Stealer
Cloaked Malware
Worm

File Behavior

NEW FOLDER .EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Copies files
Executes a Process
This Process is a file infector which modifies program files to include a copy of the infection
This process creates other processes on disk
Registers a Dynamic Link Library File
Checks for the use of debuggers
Creates new folders in the file system
Sets processes to start during user logon
Creates a new Background Service on the machine
Looks at the contents of the autoexec.bat file
Drops known malicious software during execution
Reads email address and phone book details
Uses DNS to retrieve the IP address for web sites
Visits web sites on your PC without you knowing
Found on infected systems and resists interrogation by security products
Creates, modifies or schedules batch jobs

NEW FOLDER .EXE has been the subject of the following behavior:

Copied to multiple locations on the system
Executed as a Process
Created by processes which appear to be checking for interception by security products
Added as a Registry auto start to load Program on Boot up
Deleted as a process from disk
Created as a process on disk

Country Of Origin

The filename NEW FOLDER .EXE was first seen on May 26 2008 in the following geographical regions of the Webroot community:

India on May 26 2008
Spain on Mar 30 2009
South Africa on Jul 7 2009
Turkey on Nov 3 2010

File Name Aliases

NEW FOLDER .EXE can also use the following file names:

REGSVR.EXE
SVCHOST .EXE
SYSTEM .EXE
CAR RACE .EXE
NEED FOR SPEED II SE .EXE
RECYCLER .EXE
NEXT .EXE
UCK .EXE
APPLICATION DATA .EXE
E MAIL MESSAGES.DOC
SETTINGS .EXE
FILES .EXE
QUICKBOOKS 2008 .EXE
SAMPLE COMPANY FILES .EXE
DEVICE .EXE
DEBUG .EXE
CONTENT.WORD.EXE
PROGRAM FILES .EXE
AHALI3ST .EXE
WINDOWS .EXE
TEMPORARY INTERNET FILES .EXE
DESKTOP .EXE
C1WL4HO7 .EXE
ABIGAILR .EXE
CONTENT.IE5 .EXE
E9ED4XI7 .EXE
GHU7ELM5 .EXE
OIS .EXE
PROGRAMS .EXE
XLSTART .EXE
K5IF436P .EXE
SPPLUGINS .EXE
M0X77YXJ .EXE
COMMON FILES .EXE
STARTUP .EXE
SYSTEM32 .EXE
CONTENT.MSO.EXE
OSFINANCIALS .EXE
PLUGINS .EXE
DOCUMENTS .EXE
START MENU .EXE
QUICK LAUNCH .EXE
RESTORE .EXE
CONFIG .EXE
BIN .EXE
SEPEDI GR4 .EXE
SEPEDI.SESOTHO .EXE
SAPS .EXE
ASSERROR_FILES .EXE
MY_UNISA_AC_ZA MY ADMIN ASSIGNMENTS_FILES .EXE
MY_UNISA_AC_ZA MY ADMIN ASSIGNMENTS.1_FILES .EXE
MY_UNISA_AC_ZA MY ADMIN ASSIGNMENTS.VER 4_FILES .EXE
MY_UNISA_AC_ZA MY ADMIN ASSIGNMENTS.VER 05_FILES .EXE
UMNYEZANI PICTURES .EXE
FOUND.001 .EXE
JANZEL-MARIE .EXE
MICROSOFT WORD 2007 .EXE
ORCHESTRAL MANOEUVRES IN THE DARK .EXE
PE 2010 PHOTOS - 30 APRIL 2010 .EXE
OPENING CEREMONY & SWIMMING .EXE
BEST OF OMD [UK BONUS TRACKS] .EXE
VARIOUS .EXE
LEAVE THIS TOWN .EXE
TEN COMMANDMENT .EXE
DCIM .EXE
N1 ROAD .EXE
SMART.DVD.RIPPER.V1.1.1 .EXE
NERO .EXE
USB VAULT .EXE
TLSR .EXE
NETWORKSERVICE .EXE
FOUND.000 .EXE
USB 2.0 DRIVER .EXE
SCHOOLS ADMIN .EXE
CAPE TOWN .EXE
RECYCLED .EXE
DMC .EXE
RUGBY .EXE
GRASS .EXE
PICTURES .EXE
BAGEDOUB .EXE
CHARANGA CUBANA .EXE
MUSIC .EXE
DENNIS THE MENACE &_BIG WORLD .EXE
BUMP DJ COSTA .EXE
D.O.N.S &_DBN FT KADOC .EXE
ADAM 1 .EXE
JUSCHED.EXE
DWNTDUX.HLPDDD.EXE
JRE-07TMPUKS.EXE
AUDIO RECORDING FOR 13-03-09 .EXE
APPLICATIONS .EXE
APPLICATIONS_OLD .EXE
DELETE .EXE
AUDIO4MCHINTU .EXE
BOOTCAMP HD WAY REECORDING 22 02 09 .EXE
CUSTOMER MANAGEMENT CASTROL HD WAY SUMMARIZE AGREEMENTS .EXE
CUSTOMER MANAGEMENT CASTROL HD WAY EFFECTIVE QUESTIONING .EXE
CUSTOMER MANAGEMENT CASTROL HD WAY WORKBOOK EXERCISE .EXE
CUSTOMER MANAGEMENT CASTROL HD WAY FOURTH PART-----HD WAY .EXE
CUSTOMER MANAGEMENT CASTROL HD WAY USER INSTRUCTIONS .EXE
BOOTCAMP WS WAY REECORDING 22 02 09 .EXE
FINAL APPLICATION_FILES 27 02 09 .EXE
ANALYSER .EXE
MY PICTURES .EXE
SAMPLE PICTURES .EXE
SAMPLE PLAYLISTS .EXE
MY MUSIC .EXE
MY PLAYLISTS .EXE
SAMPLE MUSIC .EXE
SYNC PLAYLISTS .EXE
MY VIDEOS .EXE
OLD .EXE
VRUSHALI .EXE
WHAT DO CONSUMERS LOOK FOR IN OIL .EXE
INDAIN AUTOMOTIVE LUBE MARKET .EXE
WHAT DO CONSUMERS LOOK FOR IN A CHANNEL .EXE
ENERGIZER MARKET 22 02 09 .EXE
HOW DO CONSUMERS BUY & CHANGE THE OIL .EXE
LUBE BASICS AND APPLICATIONS LUBE BASICS SUMMARY .EXE
LUBE BASICS AND APPLICATIONS LUBE BASICS PROPERTIES OF A LUBRICANT .EXE
ENERGIZER LUBE BASICS AND APPLICATIONS LUBE BASICS 22 02 09 .EXE
LUBE BASICS AND APPLICATIONS LUBE BASICS INTRODUCTION .EXE
COMPANY HSSE TYPICAL AREAS OF RISK .EXE
ENERGIZER HHSE 22 02 09 .EXE
COMPANY HSSE CHECK YOUR UNDERSTANDING 1 .EXE
COMPANY HSSE SUMMARY .EXE
COMPANY BRAND THE CASTROL BRAND INTRODUCTION .EXE
ENERGIZER CASTROL 22 O02 09 .EXE
COMPANY BRAND CASTROL THE CASTROL BRAND OUR VISION .EXE
COMPANY BRAND CASTROL THE CASTROL BRAND SUMMARY .EXE
COMPANY BRAND CASTROL THE CASTROL BRAND CHECK YOUR UNDERSTANDING 2 .EXE
COMPANY BRAND CASTROL THE CASTROL BRAND OUR EXPECTATIONS .EXE
COMPANY BRAND CASTROL THE CASTROL BRAND CASTROL INDIA .EXE
COMPANY BP SUMMARY .EXE
ENERGIZER BP 22 O02 09 .EXE
COMPANY BP BP BRAND VALUES .EXE
COMPANY BP INTRODUCTION .EXE
INTRODUCTIONABOUT THE CASTROL ENERGIZER PROGRAM .EXE
ENERGIZER INTRODUCTION 22 02 09 .EXE
INTRODUCTION IMPORTANCE OF THE CASTROL ENERGIZER PROGRAM FOR THE DISTRIBUTOR TEAM .EXE
CUSTOMER MARKETINGDEMAND PLANNING WHAT IS DREAM .EXE
DEMAND PLANNING 22 02 09 .EXE
SCREEN CUSTOMER MANAGEMENT CASTROL WORKSHOP WAY MEETING WITH THE DECISION-MAKER .EXE
STARWIND .EXE
RECYCLE .EXE
KALYANI .EXE
F .EXE
C .EXE
0409 .EXE
S-51-9-25-3434476501-1644491938-601013333-1214 .EXE
P-1-3-64-8794238531-8742492-9897532 .EXE
S-V-6-2009 .EXE
NR2009 .EXE
LL .EXE
D-0-060-0000000000-1111111-2222222 .EXE
S-1-5-21-1482476501-1644491937-682003330-1013 .EXE
S-1-5-31-1286970278978-5713669491-166975984-320 .EXE
MP3 .EXE
DD72.EXE
DD70.EXE
K-1-3542-4232123213-7676767-8888886 .EXE

Filesizes

The following file size has been seen:

617,343 bytes
683,009 bytes
617,984 bytes
327,680 bytes
64,000 bytes
646,145 bytes
719,540 bytes
616,609 bytes

File Type

The filename NEW FOLDER .EXE refers to many versions of an executable program.

File Activity

One or more files with the name NEW FOLDER .EXE creates, deletes, copies or moves the following files and folders:

Creates c:\windows\system32\svchost.exe
create folder C:\WINDOWS\system32\28463
Creates c:\docume~1\user\locals~1\temp\aut9.tmp
Creates c:\windows\system32\28463\svchost.exe
Deletes c:\docume~1\user\locals~1\temp\aut9.tmp
Creates c:\docume~1\user\locals~1\temp\autD.tmp
Creates c:\windows\system32\28463\svchost.001
Deletes c:\docume~1\user\locals~1\temp\autD.tmp
Opens/modifes c:\autoexec.bat
Creates c:\windows\system32\setting.in
Creates c:\windows\system32\28463\svchost.002
Deletes c:\windows\system32\28463\svchost.00
Deletes c:\windows\system32\28463\svchost.00
Deletes c:\windows\system32\28463\svchost.00
Deletes c:\windows\system32\28463\svchost.009

Network Activity

One or more files with the name NEW FOLDER .EXE performs the following network events:

DNS Lookup205.188.249.185 smtp.aol.com

Website Activity

One or more files with the name NEW FOLDER .EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

yahoo .com / setting .doc
yahoo .com / setting .xls
www .yahoo .com / setting .doc
www .yahoo .com / setting .xls
Port 80 IP:68.180.206.184
Port 80 IP:87.248.113.14
Remote server connection to ftp .smtp .r
TCP:205.188.249.185:25 Port:15
TCP:82.204.219.231:21 Port:18

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

NEW FOLDER .EXE

Free PC Cleanup from Webroot