Prevx Research Division
RAKYATKELAPARAN.EXE
System Back DoorFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove RAKYATKELAPARAN.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The filename is associated with the malware groups:
- System Back Door
- Cloaked Malware
- Worm
File Behavior
RAKYATKELAPARAN.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
- Uses rootkit techniques to conceal its presence, interrogation or removal
- Creates a new Background Service on the machine
- Uses DNS to retrieve the IP address for web sites
- Registers a Dynamic Link Library File
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Can communicate with other computers using TCP protocols
- Executes a Process
- Can communicate with other computer systems using HTTP protocols
- This Process Deletes Other Processes From Disk
- This process creates other processes on disk
- Registers or amends SMTP Mail Servers on the public internet
- Sends mail without telling you
- Checks for the use of debuggers
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- Looks at the contents of the autoexec.bat file
- This Process is a file infector which modifies program files to include a copy of the infection
- Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
- Downloads program file(s) and other content from the web
- Disables safe mode on your PC
- Sets processes to start during user logon
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- Creates or uses a background service to access the Internet using HTTP protocols
- Ability to execute files automatically on your PC
- Writes to another Process's Virtual Memory (Process Hijacking)
- Deletes Links in the Start Menu
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
- Terminates Processes
- Creates new folders on the system
- Copies files
- Changes the Internet Explorer Home Page Settings
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Adds a Link in the Start Menu
- Disables the built in Windows File Protection System
- Disables the Built in Windows System Restore Feature
- Changes of IE options including home page, security tab, colour, font, advanced, menu
- Disables Access to the Windows Registry Editior
- Disables Access to the Task Manager built into Windows
RAKYATKELAPARAN.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Created as a process on disk
- Executed as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Created by processes which appear to be checking for interception by security products
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Terminated as a Process
- This process has been seen to have code injected by malicious programs
- Created as a new Background Service on the machine
- Executed by Internet Explorer
- Added as a Link in the Start Menu
- Executed from Temporary Folders
- Deleted as a Link in the Start Menu
Country Of Origin
The filename RAKYATKELAPARAN.EXE was first seen on May 3 2007 in the following geographical regions of the Webroot community:
- on May 3 2007
- The United States on May 3 2007
- Hungary on May 8 2007
- India on Jul 8 2007
- Spain on Sep 11 2008
- Egypt on Sep 11 2008
- Italy on May 7 2009
- The United Kingdom on Dec 28 2010
- South Africa on May 24 2012
File Name Aliases
RAKYATKELAPARAN.EXE can also use the following file names:
- PRYLXOQB.EXE
- LSASS.EXE
- CSLOTKF.EXE
- PTUPEJR.EXE
- WSPCPQ[n].HTM
- UTOMB.EXE
- WTNU.EXE
- LSASS.EX_
- MSCONFIG.EXE
- PAGEFILE.PIF
- LSASS.EXE.229750.EXE
- LSASS.EXE.44890.EXE
- LSASS.EXE.104593.EXE
- LSASS.EXE.49265.EXE
- PHQ.EXE
- BOOT.EXE
- BSNL6.EXE
- DITTY.EXE
- FA CMDRS BREIFING.EXE
- WORM2007[1].EXE
- WORM2007[3].EXE
- EXPLORE.EXE
- CSRSS.EXE
- CMD-BRONTOK.EXE
- HOSTS-DENIED BY-PLUCKY1.COM
- INETINFO.EXE
- SERVICES.EXE
- WINLOGON.EXE
- SMSS.EXE
- BR6525ON.EXE
- KESENJANGANSOSIAL.EXE
- EMPTY.PIF
- FILEMAN.EXE
- DATA GREY HOUSE.EXE
- -B7E1BD99716BC1F4AD880049AB929B00593AA78C.EXE
- DD1.EXE
Filesizes
The following file size has been seen:
- 20,480 bytes
- 13,312 bytes
- 172,544 bytes
- 94,224 bytes
- 107,520 bytes
- 44,401 bytes
File Type
The filename RAKYATKELAPARAN.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name RAKYATKELAPARAN.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\lsass.exe
Network Activity
One or more files with the name RAKYATKELAPARAN.EXE performs the following network events:
- DNS Lookup74.58.93.206 74.58.93.206
- DNS Lookup189.19.224.74 189.19.224.74
- DNS Lookup86.56.58.74 86.56.58.74
- DNS Lookup24.184.163.140 24.184.163.140
- DNS Lookup168.187.215.60 168.187.215.60
- DNS Lookup76.188.231.13 76.188.231.13
- DNS Lookup83.138.246.58 83.138.246.58
- DNS Lookup80.98.175.47 80.98.175.47
- DNS Lookup173.80.70.26 173.80.70.26
- DNS Lookup99.248.43.79 99.248.43.79
- DNS Lookup87.207.40.149 87.207.40.149
- DNS Lookup121.97.83.223 121.97.83.223
- DNS Lookup213.106.172.8 213.106.172.8
- DNS Lookup190.74.163.132 190.74.163.132
- DNS Lookup200.6.177.143 200.6.177.143
- DNS Lookup89.35.217.119 89.35.217.119
- DNS Lookup89.33.187.86 89.33.187.86
- DNS Lookup88.156.177.84 88.156.177.84
- DNS Lookup62.231.92.44 62.231.92.44
- DNS Lookup64.233.240.133 64.233.240.133
- DNS Lookup98.196.116.193 98.196.116.193
- DNS Lookup24.33.128.15 24.33.128.15
- DNS Lookup200.115.235.81 200.115.235.81
- DNS Lookup88.216.39.70 88.216.39.70
- DNS Lookup196.201.133.104 196.201.133.104
- DNS Lookup86.105.93.118 86.105.93.118
- DNS Lookup69.111.152.45 69.111.152.45
- DNS Lookup77.250.6.92 77.250.6.92
- DNS Lookup87.68.94.28 87.68.94.28
- DNS Lookup89.42.138.57 89.42.138.57
- DNS Lookup190.200.85.211 190.200.85.211
- DNS Lookup78.57.214.156 78.57.214.156
- DNS Lookup76.114.36.204 76.114.36.204
- DNS Lookup212.225.164.250 212.225.164.250
- DNS Lookup82.232.1.3 82.232.1.3
- DNS Lookup68.57.136.70 68.57.136.70
- DNS Lookup187.5.112.200 187.5.112.200
- DNS Lookup71.239.66.247 71.239.66.247
- DNS Lookup99.233.117.158 99.233.117.158
- DNS Lookup189.51.138.36 189.51.138.36
- DNS Lookup96.2.109.140 96.2.109.140
- DNS Lookup59.92.187.191 59.92.187.191
- DNS Lookup72.240.220.3 72.240.220.3
- DNS Lookup121.141.197.252 121.141.197.252
- DNS Lookup99.233.208.73 99.233.208.73
- DNS Lookup173.33.72.37 173.33.72.37
- DNS Lookup187.2.19.203 187.2.19.203
- DNS Lookup116.75.19.118 116.75.19.118
- DNS Lookup62.141.211.245 62.141.211.245
- DNS Lookup67.177.119.211 67.177.119.211
Website Activity
One or more files with the name RAKYATKELAPARAN.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:74.58.93.206:3128 Port:18
- TCP:189.19.224.74:3128 Port:19
- TCP:189.12.40.238:3128 Port:19
- TCP:83.138.246.58:3128 Port:19
- TCP:116.75.19.118:3128 Port:19
- TCP:173.80.70.26:3128 Port:19
- TCP:76.188.231.13:3128 Port:18
- TCP:86.56.58.74:3128 Port:19
- TCP:80.98.175.47:3128 Port:19
- TCP:99.248.43.79:3128 Port:19
- TCP:24.184.163.140:3128 Port:19
- TCP:168.187.215.60:3128 Port:19
- TCP:200.6.177.143:3128 Port:19
- TCP:89.35.217.119:3128 Port:19
- TCP:81.41.192.68:3128 Port:19
- TCP:88.156.177.84:3128 Port:19
- TCP:190.74.163.132:3128 Port:19
- TCP:87.207.40.149:3128 Port:19
- TCP:87.68.94.28:3128 Port:20
- TCP:77.250.6.92:3128 Port:20
- TCP:196.201.133.104:3128 Port:20
- TCP:69.111.152.45:3128 Port:20
- TCP:89.33.187.86:3128 Port:19
- TCP:89.42.138.57:3128 Port:20
- TCP:200.115.235.81:3128 Port:20
- TCP:213.106.172.8:3128 Port:20
- TCP:190.200.85.211:3128 Port:20
- TCP:62.231.92.44:3128 Port:20
- TCP:24.33.128.15:3128 Port:20
- TCP:88.216.39.70:3128 Port:19
- TCP:64.233.240.133:3128 Port:20
- TCP:121.97.83.223:3128 Port:20
- TCP:98.196.116.193:3128 Port:20
- TCP:86.105.93.118:3128 Port:20
- TCP:78.57.214.156:3128 Port:20
- TCP:76.114.36.204:3128 Port:20
- TCP:212.225.164.250:3128 Port:20
- TCP:82.232.1.3:3128 Port:20
- TCP:88.156.177.84:3128 Port:21
- TCP:68.57.136.70:3128 Port:21
- TCP:187.5.112.200:3128 Port:21
- TCP:71.239.66.247:3128 Port:21
- TCP:99.233.117.158:3128 Port:21
- TCP:189.51.138.36:3128 Port:21
- TCP:96.2.109.140:3128 Port:21
- TCP:59.92.187.191:3128 Port:21
- TCP:187.5.112.200:3128 Port:21
- TCP:72.240.220.3:3128 Port:23
- TCP:121.141.197.252:3128 Port:23
- TCP:99.233.208.73:3128 Port:23
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.