File Investigation Report
DPTRMP~1.EXECloaked Malware
Your PC may be infected. The presence of a file called DPTRMP~1.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including DPTRMP~1.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Cloaked Malware
File Behavior
DPTRMP~1.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Creates a new Background Service on the machine
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Loads and Executes a System Driver File
- Registers a Dynamic Link Library File
- Copies files
- Executes a Process
- Injects code into other processes
- The Process is polymorphic and can change its structure
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Writes to another Process's Virtual Memory (Process Hijacking)
DPTRMP~1.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Added as a Registry auto start to load Program on Boot up
- Terminated as a Process
Country Of Origin
The filename DPTRMP~1.EXE was first seen on Apr 13 2008 in the following geographical regions of the Prevx community:
- SPAIN on Apr 13 2008
- URUGUAY on Apr 24 2008
- PAKISTAN on Apr 24 2008
- GREECE on May 4 2008
- KENYA on May 4 2008
- INDIA on May 19 2008
- The EUROPEAN UNION on Jul 6 2008
File Name Aliases
DPTRMP~1.EXE can also use the following file names:
- QXBX9BLB.COM
- AMVO.EXE
- XMG.EXE
- DPTRAS~1.COM
- 49107139.SVD
- 10386687.EXE
- 8DE.BAT
- LKXCQDB.BAT
- 60010611.EXE
- 51404054.BAT
- 97662946.BAT
- 45998443.DAT
- 76520092.SVD
- 32478865.BAT
- D.CMD
- SMSS.EXE
- XLU8A8SY.EXE
- 19686228.EXE
Filesizes
The following file size has been seen:
- 116,932 bytes
- 103,936 bytes
- 102,822 bytes
- 102,316 bytes
- 1,886,759,389 bytes
- 105,379 bytes
Vendor, Product and Version Information
Files with the name DPTRMP~1.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- Ap; Ap; 1.0
- K3@OKjht*R+H+35R+Z7H; ;
File Type
The filename DPTRMP~1.EXE is used by multiple object types including executable programs,objects.
File Activity
One or more files with the name DPTRMP~1.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\docume~1\user\locals~1\temp\ovlx.dll
- Copies filec:\windows\system32\dllcache\vga.sys to c:\windows\system32\drivers\vga.sys
- Deletes c:\windows\system32\amvo.exe
- Deletes c:\windows\system32\amvo0.dll
- Creates c:\windows\system32\amvo0.dll
- Deletes c:\qxbx9blb.co
- Copies filec:\windows\system32\amvo.exe to c:\qxbx9blb.co
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\qxbx9blb.co
- Copies filec:\windows\system32\amvo.exe to d:\qxbx9blb.co
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\help.rar
- Deletes c:\windows\xmg.ex
- Opens/modifes c:\autoexec.bat
- Moves c:\docume~1\user\locals~1\temp\help.exe to c:\docume~1\user\locals~1\temp\tru32E.tmp
- Creates c:\windows\xmg.exe
- Copies filec:\windows\xmg.exe to c:\windows\system32\amvo.exe
- Deletes c:\windows\system32\amvo1.dll
- Creates c:\windows\system32\amvo1.dll
Registry Activity
One or more files with the name DPTRMP~1.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run amva C:\WINDOWS\system32\amvo.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]
Website Activity
One or more files with the name DPTRMP~1.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1093 Port:18
- Port 80 IP:60.169.1.92
- TCP:127.0.0.1:1096 Port:18