DD1.EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Information Stealer
Fraudulent Security Program
Malware Dropper

File Behavior

DD1.EXE has been seen to perform the following behavior:

Can communicate with other computer systems using HTTP protocols
Writes to another Process's Virtual Memory (Process Hijacking)
This process creates other processes on disk
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing
The Process is polymorphic and can change its structure
Executes Processes stored in Temporary Folders
This Process Deletes Other Processes From Disk
Executes a Process
Adds products to the system registry
Adds an ActiveX component changing or modifying the function of your browser
Registers a Dynamic Link Library File
Changes to the file command map within the registry
Terminates Processes
Enables an In Process Object/Server - Common with DLL Injections
The Process is packed and/or encrypted using a software packing process

DD1.EXE has been the subject of the following behavior:

Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
Executed as a Process
Created as a process on disk
Deleted as a process from disk
Executed by Internet Explorer
Executed from Temporary Folders
Registered as a Dynamic Link Library File

Country Of Origin

The filename DD1.EXE was first seen on May 18 2007 in the following geographical regions of the Webroot community:

Spain on May 18 2007
The United States on May 18 2007
Europe on Jun 14 2007
Portugal on Oct 3 2007
Italy on Dec 21 2007
France on Dec 21 2007
on Sep 6 2008
South Africa on May 19 2012

File Name Aliases

DD1.EXE can also use the following file names:

APBNVELJ.EXE
W34NPRBU.EXE
D9UH6O9K.EXE
JBVAB09H.EXE
PHKKDFFT.EXE
TQ8RMZYC.EXE
LP6I2ZJL.EXE
DTRSOH81.EXE
WH0LIUG7.EXE
ISHQAMJC.EXE
J21RZJWU.EXE
SETUP_VER1.1594.1.EXE
POPULARSCREENSAVERSSETUP2.2.60.11-2[1].EXE
Q6VUN352.EXE
DOLPHINS.EXE
ENDEVLMN.EXE
H0CPF1N6.EXE
HGJSIO3L.EXE
I1GCS1K5.EXE
KMTC8DXQ.EXE
KOFK9GWV.EXE
PIFH4IV7.EXE
POPULARSCREENSAVERSSETUP2.2.60.11-2.EXE
POPULARSCREENSAVERSSETUP2.2.60.11-2.ZRFOX000.EXE
POPULARSCREENSAVERSSETUP2.2.60.11-2.ZRFOX111.EXE
XP CODEC PACK 2.0.7.1.EXE
XP CODEC PACK 2.0.7.1_(WWW.PROGRAMOSY.PL).EXE
XP_CODEC_PACK2.0.7.1.EXE
XP CODEC PACK 2.0.7.1(LASTESTWMP11CODEC).EXE
N4PZ2CAV.EXE
CATALYST7-12_XP32_DD_CCC_WDM_ENU_55811.EXE
RADEON_ATI9800_7-12_XP32_FULL.EXE
HD2600 7-12_XP32_DD_CCC_WDM_ENU_55811.EXE
ATI RADEON 9600 X1050 SERIES, ATI RADEON 9600 X1050 SERIES SECONDARY.EXE
KEYGEN.EXE
ABCDEFG-KEYGEN.EXE
WINASO REGISTRY OPTIMIZER 3.0.9.EXE
W.EXE
DC17.EXE
DF9.EXE
DD127.EXE
6T121PLQ.EXE
DD2.EXE
DF14.EXE
DH17.EXE
DC53.EXE
9TL5LO9N.EXE
4GJ99B6V.EXE
0X0LMRWK.EXE
4RM23KN5.EXE
8LQ6TUHO.EXE

Filesizes

The following file size has been seen:

73,728 bytes
10,157,436 bytes
2,709,232 bytes
6,134,851 bytes
47,082,032 bytes
96,249 bytes
77,528 bytes

File Type

The filename DD1.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name DD1.EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat
Creates c:\docume~1\user\locals~1\temp\lwpwer.exe

Website Activity

One or more files with the name DD1.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

64 .247 .39 .247 / confirm .php?aid=0&said=0
second-reason .com / up .php?advid=4683
Port 80 IP:64.247.39.247
Port 80 IP:220.196.42.218

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

DD1.EXE

Free PC Cleanup from Webroot