71812444.EXE (Derivative 1977775157), Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Information Stealer
System Back Door
Malicious Software

File Behavior

71812444.EXE has been seen to perform the following behavior:

Creates system tray popups, messages, errors and security warnings
Uses DNS to retrieve the IP address for web sites
Adds a Registry Key (RUN) to auto start Programs on system start up
This process creates other processes on disk
Writes to another Process's Virtual Memory (Process Hijacking)
Executes Processes stored in Temporary Folders
This Process Deletes Other Processes From Disk
Executes a Process
Registers a Dynamic Link Library File
Injects code into other processes
Copies files
The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure

71812444.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Deleted as a process from disk
Copied to multiple locations on the system
This Process may have been infected by a file infecting virus
Registered as a Dynamic Link Library File
Executed from Temporary Folders
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process

Country Of Origin

The filename 71812444.EXE was first seen on May 22 2007 in the following geographical regions of the Webroot community:

The United States on May 22 2007
Taiwan on Jun 2 2007
Europe on Aug 10 2008
Spain on Feb 25 2009
Germany on Feb 25 2009
Peru on Feb 20 2010
Guatemala on Feb 20 2010
South Africa on Nov 15 2011
Italy on May 19 2012

File Name Aliases

71812444.EXE can also use the following file names:

FTP.EXE
PAYPAL_HACK.EXE
ARCHLORD_COOLDOWN_HACK_BY_H4XXOR.EXE
STEAM_UNLOCKER_0.99[n].EXE
DL[n].EXE
STEAM READER.EXE
TS-SA_HACK BY H4XXOR.EXE
FREAKMT2.EXE
IEXPLORER.EXE
Y1AG2RTQ9F.EXE
FTP.EXE:S12
70547539.EXE
96999885.DAT

Filesizes

The following file size has been seen:

16,384 bytes
52,224 bytes
42,496 bytes
593,920 bytes
18,395 bytes
135,168 bytes
61,011 bytes
91,136 bytes

File Type

The filename 71812444.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name 71812444.EXE creates, deletes, copies or moves the following files and folders:

Creates c:\docume~1\jim\locals~1\temp\dwwin.exe
Creates c:\docume~1\jim\locals~1\temp\Jim@HOME-OFF-D5F0AC.htm
Opens/modifes c:\autoexec.bat
Creates c:\docume~1\jim\locals~1\temp\msg.txt
Creates c:\docume~1\jim\locals~1\temp\fire.txt
Creates c:\docume~1\jim\locals~1\temp\cho.txt
Creates c:\docume~1\jim\locals~1\temp\4535_appcompat.txt
Creates c:\docume~1\jim\locals~1\temp\ie.txt
Creates c:\docume~1\jim\locals~1\temp\ps.txt
Creates c:\docume~1\jim\locals~1\temp\dial.tx
Creates c:\docume~1\jim\locals~1\temp\ste.txt

Network Activity

One or more files with the name 71812444.EXE performs the following network events:

DNS Lookup ftp.aerox472.ae.ohost.de
DNS Lookup213.202.225.39 ftp.aerox472.ae.ohost.de

Website Activity

One or more files with the name 71812444.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

Remote server connection to ftp .aerox472 .ae .ohost .d
TCP:213.202.225.39:21 Port:20
TCP:213.202.225.39:49069 Port:20

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

71812444.EXE

Free PC Cleanup from Webroot