CODEC[n].EXEMalware Dropper

Your PC may be infected. The presence of a file called CODEC[n].EXE is a possible sign of infection.

You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including CODEC[n].EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.

Download Prevx CSI now »

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Malware Dropper
Cloaked Malware
Malware Downloader

File Behavior

CODEC[n].EXE has been seen to perform the following behavior:

Executes a Process
Writes to another Process's Virtual Memory (Process Hijacking)
This Process Creates Other Processes On Disk
Copies files
Registers a Dynamic Link Library File
Injects code into other processes
Creates new folders in the file system
Enables an In Process Object/Server - Common with DLL Injections
Creates a new Background Service on the machine
The Process is packed and/or encrypted using a software packing process
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
Can communicate with other computer systems using HTTP protocols
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing

CODEC[n].EXE has been the subject of the following behavior:

Has code inserted into its Virtual Memory space by other programs
Deleted as a process from disk
Executed as a Process
Created as a process on disk
Added as a Registry auto start to load Program on Boot up
Terminated as a Process

Country Of Origin

The filename CODEC[n].EXE was first seen on Jun 11 2008 in the following geographical regions of the Prevx community:

The UNITED STATES on Jun 11 2008
JAPAN on Sep 29 2008
The UNITED KINGDOM on Sep 29 2008
FRANCE on Sep 29 2008
SPAIN on Oct 4 2008

File Name Aliases

CODEC[n].EXE can also use the following file names:

CODEC[1].EXE
HXPNASKV.EXE
6986G42J.EXE
LPHC9Q8J0EACE.EXE
MEDIA_CODECS[n].EXE
8T7YCGHG.EXE
15152832.EXE
CODEC.EXE
DC21.EXE
82157129.EXE
00878144.EXE
21183048.DAT
97316713.DAT

Filesizes

The following file size has been seen:

45,060 bytes
64,000 bytes
46,084 bytes
45,572 bytes
32,768 bytes
11,012 bytes
8,192 bytes

Vendor, Product and Version Information

Files with the name CODEC[n].EXE have been seen to have the following Vendor, Product and Version Information in the file header:

Trankvezit Ltd.; Gdzie zemlja zabere; 1.00

File Type

The filename CODEC[n].EXE refers to many versions of an executable program.

File Activity

One or more files with the name CODEC[n].EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat
Creates c:\650.bat
Creates c:\gmtet6712.exe
Creates c:\windows\system32\tuvWoomJ.dll
Copies filec:\windows\system32\tuvWoomJ.dll to c:\windows\system32\vtUnnkhG.dll
Creates c:\docume~1\user\locals~1\temp\removalfile.bat
Deletes c:\services.exe
create folder C:\WINDOWS\system32\EV02
Deletes c:\docume~1\user\locals~1\temp\nse24.tmp
Creates c:\windows\system32\MSINET.DEP
Creates c:\windows\system32\MSINET.oca
Creates c:\windows\system32\MSINET.OCX
Creates c:\windows\system32\pac.txt
Creates c:\windows\system32\ev02\EV022328.exe
Creates c:\temp\xp34\cPH.log
Deletes c:\temp\brnU492.exe
Deletes c:\x.txt
Deletes c:\smss.exe
Deletes c:\ctfmon.ex
Deletes c:\650.bat
Creates c:\x.txt
create folder C:\WINDOWS\system32\up5
create folder C:\WINDOWS\system32\von
create folder C:\WINDOWS\system32\nop1
Deletes c:\docume~1\user\locals~1\temp\nsn35.tmp
Creates c:\windows\system32\up5\intsRMD3.exe
Creates c:\windows\system32\von\AWID24U14.exe
Creates c:\windows\system32\nop1\gmtet6712.exe
Creates c:\temp\1cb\syscheck.log
Creates c:\docume~1\user\locals~1\temp\cmdinst.exe
Deletes c:\docume~1\user\locals~1\temp\nsq3D.tmp
Creates c:\docume~1\user\locals~1\temp\nsq3F.tmp
Deletes c:\docume~1\user\locals~1\temp\nsg41.tmp
Creates c:\docume~1\user\locals~1\temp\nsg41.tmp\System.dll
Creates c:\windows\system32\koegkggxddafdfg.dll
Creates c:\windows\system32\rfafkuahlrudzbxc.exe
Creates c:\docume~1\user\locals~1\temp\nsg41.tmp\NSISdl.dll
Creates c:\docume~1\user\locals~1\temp\activation_key
Deletes c:\docume~1\user\locals~1\temp\activation_key
Deletes c:\docume~1\user\locals~1\temp\nsg41.tmp\NSISdl.dll
Deletes c:\docume~1\user\locals~1\temp\nsg41.tmp\System.dll
Creates c:\docume~1\user\locals~1\temp\gmtet6712-0F90.exe
Creates c:\docume~1\user\locals~1\temp\8BDE853F.dat
Deletes c:\docume~1\user\locals~1\temp\8BDE853F.dat
Deletes c:\docume~1\user\locals~1\temp\8bde853f\SFL52.tmp
Creates c:\docume~1\user\locals~1\temp\8bde853f\_Setup.dll
Deletes c:\docume~1\user\locals~1\temp\8bde853f\SFL55.tmp
Creates c:\docume~1\user\locals~1\temp\8bde853f\Setup.ico
Deletes c:\docume~1\user\locals~1\temp\8bde853f\SFL58.tmp
Creates c:\docume~1\user\locals~1\temp\8bde853f\_Setupx.dll

Registry Activity

One or more files with the name CODEC[n].EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USER\Software\VB and VBA Program Settings\pz\x
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\dt2\x x 9/29/2008
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile EnableFirewall value:

Network Activity

One or more files with the name CODEC[n].EXE performs the following network events:

DNS Lookup77.245.49.24 ads.innbanner.com

Website Activity

One or more files with the name CODEC[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

members .chello .sk / j .szakalova / a .dat
members .chello .sk / j .szakalova / b .dat
members .chello .sk / j .szakalova / c .dat
Port 80 IP:80.109.240.74
TCP:127.0.0.1:1116 Port:17
Port 80 IP:64.225.156.213
command .adservs .com / binaries / installer .php?a=MTE5MTA6ODoxNg
Port 80 IP:81.22.36.106
Port 80 IP:77.245.49.24

Virus, Spyware & Malware Center »