SERVER.EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

System Back Door
Cloaked Malware
Malicious Software

File Behavior

SERVER.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Writes to another Process's Virtual Memory (Process Hijacking)
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Executes a Process
Adds a Registry Key (RUN) to auto start Programs on system start up
This Process Deletes Other Processes From Disk
Copies files
This process creates other processes on disk
Creates new folders on the system
Injects code into other processes
Performs DNS look ups to resolve URL IP addresses
Uses rootkit techniques to conceal its presence, interrogation or removal
Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
Can Send email using SMTP protocols
Communicates with other computers using FTP connections
This Process sends MIME Email
The Process can record information submitted over the Internet
This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
Changes to the file command map within the registry
Registers a Dynamic Link Library File
The Process is polymorphic and can change its structure
Creates a new Background Service on the machine
Drops known malicious software during execution
Found on infected systems and resists interrogation by security products
Adds a Registry Key (DXCOM) to auto start Programs on system start up
Modifies System Runtime Policies to limit system usability
Adds products to the system registry
Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
Terminates Processes

SERVER.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Copied to multiple locations on the system
Created as a new Background Service on the machine
Deleted as a process from disk
Added as a Registry Key (DXCOM) to auto start Programs on system start up
Terminated as a Process
Registered as a Dynamic Link Library File

Country Of Origin

The filename SERVER.EXE was first seen on May 3 2007 in the following geographical regions of the Webroot community:

The United States on May 3 2007
Algeria on May 3 2007
Spain on May 28 2008
Germany on May 28 2008
Italy on Mar 10 2009
Taiwan on Mar 10 2009
Israel on Sep 27 2010
The United Kingdom on Sep 27 2010
Egypt on Feb 11 2012

File Name Aliases

SERVER.EXE can also use the following file names:

WINRAR-CRACK.EXE
WINDOWS SIDEBAR-CRACK.EXE
WINDOWS PORTABLE DEVICES-CRACK.EXE
WINDOWS PHOTO VIEWER-CRACK.EXE
WINDOWS NT-CRACK.EXE
WINDOWS MEDIA PLAYER-CRACK.EXE
WINDOWS MAIL-CRACK.EXE
WINDOWS LIVE SKYDRIVE-CRACK.EXE
WINDOWS LIVE-CRACK.EXE
WINDOWS JOURNAL-CRACK.EXE
WINDOWS DEFENDER-CRACK.EXE
WGP7-CRACK.EXE
VIDEOLAN-CRACK.EXE
UNINSTALL INFORMATION-CRACK.EXE
SKYPE-CRACK.EXE
SEAGATE-CRACK.EXE
REFERENCE ASSEMBLIES-CRACK.EXE
REALTEK-CRACK.EXE
REAL DESKTOP-CRACK.EXE
NATURA SOUND THERAPY-CRACK.EXE
MSXML 4.0-CRACK.EXE
MSBUILD-CRACK.EXE
MICROSOFT.NET-CRACK.EXE
MICROSOFT WORKS-CRACK.EXE
MICROSOFT VISUAL STUDIO 8-CRACK.EXE
MICROSOFT VISUAL STUDIO-CRACK.EXE
MICROSOFT OFFICE-CRACK.EXE
MICROSOFT GAMES-CRACK.EXE
MICROSOFT CAPICOM 2.1.0.2-CRACK.EXE
MICROSOFT-CRACK.EXE
KEYBOARD & MOUSE DRIVER-CRACK.EXE
INTERNET EXPLORER-CRACK.EXE
INTEL-CRACK.EXE
INSTALLSHIELD INSTALLATION INFORMATION-CRACK.EXE
HP-CRACK.EXE
GOOGLE-CRACK.EXE
FOLDER LOCK-CRACK.EXE
FDRLAB-CRACK.EXE
DVD MAKER-CRACK.EXE
DRIVER CHECKER-CRACK.EXE
DOWNLOADTOOLZ-CRACK.EXE
DAEMON TOOLS TOOLBAR-CRACK.EXE
DAEMON TOOLS LITE-CRACK.EXE
CYBERLINK-CRACK.EXE
COMMON FILES-CRACK.EXE
AVS4YOU-CRACK.EXE
ADOBE-CRACK.EXE
YEAHBITSYSTEMKEEPPRO-CRACK.EXE
TEAMVIEWERPORTABLE-CRACK.EXE
PS3 MEDIA SERVER-CRACK.EXE
MP3TAG-CRACK.EXE
JAVA-CRACK.EXE
EMDB-CRACK.EXE
COLLECTORZ.COM-CRACK.EXE
RAYV-CRACK.EXE
ROEIBAJAYO-CRACK.EXE
SUPER INTERNET TV-CRACK.EXE
DESKSPACE-CRACK.EXE
MAKO_LIVE-CRACK.EXE
FEEDBACK TOOL-CRACK.EXE
CONDUIT-CRACK.EXE
PREVX-CRACK.EXE
WINADMIN-SETUP.EXE
STUB ORIGINAL.EXE
UNFO.EXE
SERVER..EXE
SERVER(n).EXE
SERVER_ORIGINAL.EXE
السيرفر اللى هيتم التشفير عليهSERVER.EXE
سيرفر بيفروست خام 1.2.1D.EXE
SERVER1.EXE
EGYPTE.EXE
CRYPTED.EXE
DRJO2022DR.EXE
TASF7577TA.EXE
QMMF6390QM.EXE
GUKD3044GU.EXE
CGFC1857CG.EXE
FIQP2614FI.EXE
SQZJ7150SQ.EXE
YHUF9457YH.EXE
BHZX1410BH.EXE
LKHX4968LK.EXE
HLOP3551HL.EXE
LNMU4690LN.EXE
USXJ8086US.EXE
DQXJ2184DQ.EXE
PLXL6355PL.EXE
FIHR2881FI.EXE
POOR6080PO.EXE
DTLG2025DT.EXE
LKJF4851LK.EXE
YEZU9434YE.EXE
MCYN5140MC.EXE
XIPO8938XI.EXE
KCFD4522KC.EXE
RSLR6905RS.EXE
NQNL5592NQ.EXE
FUSH2860FU.EXE
YUIN9440YU.EXE
VLYL8314VL.EXE
KTJL4422KT.EXE
AYSR1105AY.EXE
PJKV6248PJ.EXE
GLPR3084GL.EXE
JWDM4214JW.EXE
OCOQ5910OC.EXE
FLYV2899FL.EXE
LPXG4941LP.EXE
PRJK6296PR.EXE
SFQT7366SF.EXE
BOYV1357BO.EXE
NHIY5538NH.EXE
VYHX8364VY.EXE
PVJV6206PV.EXE
MHEV5019MH.EXE
UYDU7845UY.EXE
MUKZ5186MU.EXE
ZHPR9608ZH.EXE
QRSB6664QR.EXE
PQMP6262PQ.EXE
OPGD5860OP.EXE
LABD4673LA.EXE
TSZC7500TS.EXE
CKMR1545CK.EXE
P[TI6273P[.EXE
ZVJJ9782ZV.EXE
MQYS5052MQ.EXE
IBSS3865IB.EXE
MDEW5219MD.EXE
TURW7657TU.EXE
IDPM3614ID.EXE
HJLZ3428HJ.EXE
HLWA3275HL.EXE
WMDK8668WM.EXE
QPZV6385QP.EXE
QRHP6671QR.EXE
HKCU3501HK.EXE
SHDH7261SH.EXE
WWNJ8683WW.EXE
OVPE5743OV.EXE
FQQO2599FQ.EXE
LKPB4784LK.EXE
CTTL1840CT.EXE
BSNZ1438BS.EXE
WENG8749WE.EXE
CUKM1822CU.EXE
KYVG4546KY.EXE
TTRX7500TT.EXE
JMTS3997JM.EXE
TYRY7511TY.EXE
LLS[4695LL.EXE
EOBD2252EO.EXE
WOG[8719WO.EXE
FSKK2868FS.EXE
NDRP5491ND.EXE
RPKE7042RP.EXE
BORM1340BO.EXE
LFLE4667LF.EXE
GGDZ3051GG.EXE
BNFN1236BN.EXE
UZVU7948UZ.EXE
BNUV1334BN.EXE
LBXF4788LB.EXE
UIEF7988UI.EXE
CQWB1659CQ.EXE
ZPVW9755ZP.EXE
SNHH7184SN.EXE
BZJU1198BZ.EXE
PIIK6154PI.EXE
ORRT5698OR.EXE
AA[n].EXE
VS000000.EXE.EXE
UPD??.TMP.EXE
KEYGEN-SERIAL.EXE
AA[1].EXE
F.EXE
A.EXE
AA.EXE
TT.EXE
P001.EXE
©D00365.EXE
26500.EXE
82261958.EXE

Filesizes

The following file size has been seen:

375,296 bytes
107,521 bytes
32,256 bytes
382,371 bytes
270,848 bytes
94,208 bytes
393,216 bytes

File Type

The filename SERVER.EXE refers to many versions of an executable program.

File Activity

One or more files with the name SERVER.EXE creates, deletes, copies or moves the following files and folders:

Creates c:\verclsid.exe
Copies filec:\8240409.exe to c:\windows\system32\8240409.exe
Creates c:\windows\system32\noso.dll
Deletes c:\8240409.ex
Opens/modifes c:\autoexec.bat

Network Activity

One or more files with the name SERVER.EXE performs the following network events:

DNS Lookup121.29.176.109 fengkaikai.3322.org
DNS Lookup127.0.0.1 0
DNS Lookup go.microsoft.com
DNS Lookup64.4.52.189 go.microsoft.com
DNS Lookup runonce.msn.com
DNS Lookup65.55.119.20 runonce.msn.com
DNS Lookup m.webtrends.com
DNS Lookup63.88.212.184 m.webtrends.com

Website Activity

One or more files with the name SERVER.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:127.0.0.1:1070 Port:21
TCP:121.29.176.109:800 Port:2
TCP:121.29.176.109:800 Port:23
Port 80 IP:64.4.52.189
Port 25 IP:121.29.176.109
Port 80 IP:65.55.119.20
TCP:121.29.176.109:800 Port:27
TCP:121.29.176.109:800 Port:28
Port 80 IP:63.88.212.184
TCP:121.29.176.109:800 Port:30
TCP:121.29.176.109:800 Port:31
TCP:121.29.176.109:800 Port:31
TCP:121.29.176.109:800 Port:32
TCP:121.29.176.109:800 Port:32
TCP:121.29.176.109:800 Port:32
TCP:121.29.176.109:800 Port:33
TCP:121.29.176.109:800 Port:34
TCP:121.29.176.109:800 Port:28
TCP:121.29.176.109:800 Port:34

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

SERVER.EXE

Free PC Cleanup from Webroot