MSMSGS.EXE

File Behavior

MSMSGS.EXE has been seen to perform the following behavior:

• The Process is packed and/or encrypted using a software packing process
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Modifies Windows Security Policies to restrict/expand User Privileges on the machine
• Disables Access to the Task Manager built into Windows
• Disables Access to the Windows Registry Editior
• This process creates other processes on disk
• This Process Deletes Other Processes From Disk
• Can communicate with other computer systems using HTTP protocols
• Terminates Processes
• Registers a Dynamic Link Library File
• The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Executes a Process
• Creates a TCP port which listens and is available for communication initiated by other computers
• Makes outbound connections to other computers using NETBIOSOUT protocols
• Can communicate with other computers using TCP protocols
• Reads your outlook address book
• Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
• Uses DNS to retrieve the IP address for web sites
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Visits web sites on your PC without you knowing
• Disables safe mode on your PC
• Creates system tray popups, messages, errors and security warnings
• This Process looks to see what security products and services are running on the system
• Disables or impairs the normal operation of the Windows Security Center
• Copies files
• Uses backdoor interfaces to certain security applications
• Checks for the use of debuggers
• Includes file creation code which could be used to test for interception by security products
• This Process is a file infector which modifies program files to include a copy of the infection
• Writes to another Process's Virtual Memory (Process Hijacking)
• Changes the Windows Security Center to stop Antivirus status alerts from being displayed
• Changes the Windows Security Center to stop Firewall status alerts from being displayed
• Changes the Windows Security Center to stop Firewall override alerts from being displayed
• Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
• Injects code into other processes
• Performs DNS look ups to resolve URL IP addresses
• Creates a new Background Service on the machine

MSMSGS.EXE has been the subject of the following behavior:

• Created as a process on disk
• Executed as a Process
• Added as a Registry auto start to load Program on Boot up
• Deleted as a process from disk
• The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Enabled as a COM Object/Server on the Local Machine
• Terminated as a Process
• Has code inserted into its Virtual Memory space by other programs
• Executed by Internet Explorer
• Registered as a Dynamic Link Library File
• This process has been seen to have code injected by malicious programs
• Created by processes which appear to be checking for interception by security products
• Created as a new Background Service on the machine
• Copied to multiple locations on the system