Prevx Research Division
ZUMA.EXE
Malicious SoftwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove ZUMA.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malicious Software
- Worm
- P2P Share Worm
File Behavior
ZUMA.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- This Process sends MIME Email
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Can communicate with other computer systems using HTTP protocols
- Adds products to the system registry
- Executes a Process
- Registers a Dynamic Link Library File
- Creates system tray popups, messages, errors and security warnings
- Enables an In Process Object/Server - Common with DLL Injections
- Adds a Web Site Domain in the Internet Explorer Trusted Zone reducing its security protection
- Creates a TCP port which listens and is available for communication initiated by other computers
- Opens browser pop ups
- Runs Javascript code
- Uses DNS to retrieve the IP address for web sites
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Terminates Processes
- Uses rootkit techniques to conceal its presence, interrogation or removal
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- Writes to another Process's Virtual Memory (Process Hijacking)
- The Process is polymorphic and can change its structure
ZUMA.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Deleted as a process from disk
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Downloaded from covert web sites without the user knowing
- Registered as a Dynamic Link Library File
- Created by processes which appear to be checking for interception by security products
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename ZUMA.EXE was first seen on May 14 2007 in the following geographical regions of the Webroot community:
- South Africa on May 14 2007
- on May 14 2007
- The United States on Jun 6 2007
- Turkey on Jun 6 2007
- Czech Republic on Oct 14 2007
- Japan on Dec 14 2007
- Romania on Feb 12 2008
- China on Aug 5 2009
- The United Kingdom on Dec 31 2010
File Name Aliases
ZUMA.EXE can also use the following file names:
- UPDATE.EXE
- BAM BAM.EXE
- LULO CAFE SOUL.EXE
- LIQUIDDEEP-FABRICS OF THE HEART.EXE
- NEW FOLDER.EXE
- ITIL V3.EXE
- W-A-T.EXE
- CODECS.EXE
- INTEC.EXE
- PPM.EXE
- THE PEOPLE SIDE OF PROJECT MANAGEMENT.EXE
- QUALITY MANAGEMENT.EXE
- VISUAL CERT EXAM SUITE.EXE
- QUESTIONS.EXE
- VISUAL CERTEXAM SUITE.EXE
- HILDA.EXE
- COST MANAGEMENT.EXE
- RISK MANAGEMENT.EXE
- PM PRACTCES, PRINCIPLES ANS SCHEDULING.EXE
- PM PRACTCES, PRINCIPLES ANS SCHEDULING (1).EXE
- THE PEOPLE SIDE OF PROJECT MANAGEMENT (1).EXE
- ALEX.EXE
- USBVAULT.EXE
- OSBOURNE.EXE
- LEGAL ASPECTS.EXE
- USER MANUALS MULTI-LANGUAGES.EXE
- LSI.EXE
- GOSSIPP.EXE
- COURSE.EXE
- EXEL.EXE
- PISCES.EXE
- RISK MANAGEMENT FINAL.EXE
- VACECTOMY.EXE
- ARIES.EXE
- GROUP ASSIGNMENT.EXE
- PALM READING.EXE
- BIOS FIRMWARE.EXE
- DUMA2.EXE
- IBM SOFTWARE.EXE
- ITIL MATERIAL.EXE
- JACQUES1.EXE
- NEW MOVIES.EXE
- PROFILE.EXE
- PROFILENEW.EXE
- ROOT.EXE
- SOI & PROCESS FLOW.EXE
- STUDY MATERIAL.EXE
- STUDY.EXE
- SYSTEM VOLUME INFORMATION.EXE
- DELL OPTIPLEX GX330.EXE
- ESPRIMO.EXE
- FRANS.EXE
- RECYCLER.EXE
- ZUMADELUXE.EXE
- RECEIVED.EXE
- RECYCLE.EXE
- TMP.FILES.EXE
- CVS.EXE
- NEW FOLDER (1).EXE
- مهنة_FILES.EXE
- F3E6CD.EXE
- B873AA.EXE
- WUAUCLT.EXE
- CDE05F.EXE
- C5231A.EXE
- 74BE16.EXE
- 102355.EXE
- S1037637.EXE
- C9200.EXE
- $RECYCLE.BIN.EXE
Filesizes
The following file size has been seen:
- 345,207 bytes
- 555,008 bytes
- 2,044,032 bytes
- 1,399,809 bytes
- 1,610,272 bytes
- 1,406,878 bytes
- 1,306,883 bytes
- 2,658,305 bytes
- 26,112 bytes
File Type
The filename ZUMA.EXE refers to many versions of an executable program.
File Activity
One or more files with the name ZUMA.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\Program Files\Trymedia
- create folder C:\Program Files\Trymedia\ActiveMark
- create folder C:\Program Files\Trymedia\ActiveMark\licenses
- create folder C:\Program Files\
- create folder C:\Program Files\\TryMedia
- create folder C:\Program Files\\TryMedia\ActiveMark
- create folder C:\Program Files\\TryMedia\ActiveMark\data
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\d811_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\d820_appcompat.txt
- Creates c:\documents and settings\all users\application data\microsoft\dr watson\user.dmp
- Deletes c:\documents and settings\all users\application data\microsoft\dr watson\user.dmp
- Creates c:\docume~1\user\locals~1\temp\1D5C9.dmp
Network Activity
One or more files with the name ZUMA.EXE performs the following network events:
- DNS Lookup127.0.0.1 localhost
Website Activity
One or more files with the name ZUMA.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1084 Port:22
- TCP:127.0.0.1:1085 Port:23
- TCP:127.0.0.1:1086 Port:24
- Port 25 IP:127.0.0.1
- TCP:127.0.0.1:1093 Port:26
- TCP:127.0.0.1:1094 Port:26
- TCP:127.0.0.1:1096 Port:26
- TCP:127.0.0.1:64001 Port:23
- TCP:127.0.0.1:64001 Port:24
- TCP:127.0.0.1:64001 Port:26
- TCP:127.0.0.1:64001 Port:26
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.