Prevx Research Division
ISE32.EXE
System Back DoorFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove ISE32.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The filename is associated with the malware groups:
- System Back Door
- Cloaked Malware
- Malicious Software
File Behavior
ISE32.EXE has been seen to perform the following behavior:
- The Process is polymorphic and can change its structure
- Executes a Process
- Writes to another Process's Virtual Memory (Process Hijacking)
- This process creates other processes on disk
- Injects code into other processes
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Uses DNS to retrieve the IP address for web sites
- Visits web sites on your PC without you knowing
- Uses your PC to connect to Chat rooms
- Found on infected systems and resists interrogation by security products
- The Process is packed and/or encrypted using a software packing process
- Modifies Windows Initialization And System Settings Used On Start up
- Registers a Dynamic Link Library File
- This Process Deletes Other Processes From Disk
- Enables an In Process Object/Server - Common with DLL Injections
- Checks for the use of debuggers
- Disables the Notification Balloon for the Windows Security Center
- Disables Access to the Windows Registry Editior
- Disables Access to the Task Manager built into Windows
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
- Adds products to the system registry
- Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
- Changes the Windows Security Center to stop Antivirus status alerts from being displayed
- Changes the Windows Security Center to stop Firewall status alerts from being displayed
- Changes the Windows Security Center to stop Firewall override alerts from being displayed
- Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
- Disables safe mode on your PC
- Injects code into other processes
- Creates a new Background Service on the machine
ISE32.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry Key (DXCOM) to auto start Programs on system start up
- Copied to multiple locations on the system
- Deleted as a process from disk
- Added as a Registry auto start to load Program on Boot up
- Victim of a Heap Based Buffer Overflow Exploit
- Terminated as a Process
Country Of Origin
The filename ISE32.EXE was first seen on Mar 28 2008 in the following geographical regions of the Webroot community:
- Canada on Mar 28 2008
- Bulgaria on Mar 28 2008
- South Africa on May 15 2008
- Spain on May 15 2008
- France on Jun 18 2008
- The United States on Aug 4 2008
- Russian Federation on Oct 27 2009
- Romania on Apr 11 2010
- The United Kingdom on Apr 11 2010
File Name Aliases
ISE32.EXE can also use the following file names:
- SYSTE.EXE
- ISE32.EXE.DEL
- GTEWT.EXE
- MAKERS[1].EXE
- PIWE.EXE
- KBDZ.EXE
- QRAO.EXE
- UNEK.EXE
- LVXXTOID.EXE
- NHSKFXES.EXE
- TNPFLOXV.EXE
- BADKGDN.EXE
- NUNB.EXE
- SWGDXEW.EXE
- LOPEZBB.EXE
- EZZZH.EXE
- HAYDCXI.EXE
- ASDASSD.EXE
- SWASDASSD.EXE
- VIRUS USB XOR CRYPTER/RELEASE/X0R-P.EXE
- COUIOPU.EXE
- ADSOPISD.EXE
- ASDASD.EXE
- ASDSAD.EXE
- ASOPISD.EXE
- DFLKS.EXE
- DWASDASSD.EXE
- LKS.EXE
- PODER.EXE
- POOODER.EXE
- SDSSDSD.EXE
- WASDASSD.EXE
- WAXSDAD.EXE
- WDASSD.EXE
- IS2[n].EXE
- JUF34.EXE
- K85DFDRFSDGT[n].EXE
- SS1[n].EXE
- B143GT[n].EXE
- BOT[n].EXE
- SWDF.EXE
- SYSTI.EXE
- SYESTE.EXE
- SYSTR.EXE
- SYSTQ.EXE
- SYSTZ.EXE
- JHKJKJ.EXE
- SYRSF.EXE
- SYSF.EXE
- SYWQT.EXE
- DYDE.EXE
- AVVAQ.EXE
- KK2[n].EXE
- FOLDER.EXE
- TIP.EXE
- RT.EXE
- K2.EXE
- FR.EXE
Filesizes
The following file size has been seen:
- 33,444 bytes
- 14,336 bytes
- 93,752 bytes
- 29,184 bytes
- 114,176 bytes
- 13,824 bytes
- 51,488 bytes
- 192,000 bytes
File Type
The filename ISE32.EXE refers to many versions of an executable program.
File Activity
One or more files with the name ISE32.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
- Deletes c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\ise32.exe
- Deletes c:\windows\system32\Verclsid.exe
- Creates c:\windows\system32\tdggrz.dll
- Deletes c:\windows\system32\tf
- Deletes c:\windows\system32\opshbbty.dll
- Deletes c:\windows\system32\etshabty.exe
- Copies filec:\docume~1\user\locals~1\temp\12.gif to c:\windows\system32\etshabty.exe
- Deletes c:\docume~1\user\locals~1\temp\~DFD155546.bat
- Deletes c:\windows\system32\zptlcsys.dll
- Deletes c:\windows\system32\aitlasys.exe
- Copies filec:\docume~1\user\locals~1\temp\13.gif to c:\windows\system32\aitlasys.exe
- Deletes c:\docume~1\user\locals~1\temp\12.gif
- Deletes c:\docume~1\user\locals~1\temp\~DFD15~1.BAT
Network Activity
One or more files with the name ISE32.EXE performs the following network events:
- DNS Lookup72.10.172.213 uuuu.ka3ek.com
Website Activity
One or more files with the name ISE32.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:72.10.172.213:7000 Port:31
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.