File Investigation Report
IEXPLORE.EXE
Malware DropperPC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove IEXPLORE.EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The filename is associated with the malware groups:
- Malware Dropper
- Cloaked Malware
- System Back Door
- Worm
- Malicious Software
File Behavior
IEXPLORE.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- This process creates other processes on disk
- Copies files
- Registers a Dynamic Link Library File
- Creates a new Background Service on the machine
- Looks at the contents of the autoexec.bat file
- Drops known malicious software during execution
- Reads email address and phone book details
- Includes file creation code which could be used to test for interception by security products
- Visits web sites on your PC without you knowing
- Writes to another Process's Virtual Memory (Process Hijacking)
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Creates a TCP port which listens and is available for communication initiated by other computers
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Uses DNS to retrieve the IP address for web sites
- Uses your PC to connect to Chat rooms
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
- This Process Deletes Other Processes From Disk
- Can communicate with other computer systems using HTTP protocols
- Sends email using SMTP protocols
- Can examine and send Email using POP3 protocols
- Opens browser pop ups
- The Process is polymorphic and can change its structure
- This Process is a file infector which modifies program files to include a copy of the infection
- Found on infected systems and resists interrogation by security products
- Blocks a selection of utility programs from running on the machine
- Modifies System Runtime Policies to limit system usability
- Can Send email using SMTP protocols
- This Process sends MIME Email
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
IEXPLORE.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Created as a process on disk
- Terminated as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Created as a new Background Service on the machine
- Deleted as a process from disk
Country Of Origin
The filename IEXPLORE.EXE was first seen on May 17 2007 in the following geographical regions of the Prevx community:
- The UNITED STATES on May 17 2007
- BULGARIA on May 17 2007
- SPAIN on Nov 7 2007
- BELGIUM on Nov 7 2007
- SLOVENIA on May 7 2008
- The UNITED KINGDOM on May 7 2008
File Name Aliases
IEXPLORE.EXE can also use the following file names:
- 95313106.EXE
- 14835726.SVD
- 57149221.SVD
- 21076196.SVD
- 53087266.DAT
- ALGS.EXE
- 85831701.EXE
- 44994855.DAT
- WINAMP.EXE
- CSRS.EXE
- 16860757.EXE
- SPOOISV.EXE
- CAT[1].EXE
- UPDATE260.EXE
- WINIOGON.EXE
- ISASS.EXE
- SPOOLSVC.EXE
- 73631321.EXE
- VZMJWB.EXE
- RPBRYX.EXE
- LOGON.EXE
- ZEEWKB.EXE
- FIREWALL.EXE
- PUCYFN.EXE
- EXPLORER.EXE
- FKSWNX.EXE
- SP_UB_V172_1[1].EXE
- LSSAS.EXE
- 39894169.DAT
- 59765656.SVD
- STOK.EXE
- XVYZMWQ.EXE
- 62647801.EXE
- 47906786.DAT
- QBJKQH.EXE
- CDOIMIWO.EXE
- NFCU.EXE
- HKDQ.EXE
- ADOU.EXE
- AYDK.EXE
- BUQPR.EXE
- CATTBQ.EXE
- CWVDEG.EXE
- DAFTXWI.EXE
- DSOTZOG.EXE
- EBBQI.EXE
- EVJAU.EXE
- FOSBKNX.EXE
- GMIO.EXE
- HGBYOJFV.EXE
- IURFDGR.EXE
- IWTBTBUW.EXE
- JGUQRUA.EXE
- KASNYG.EXE
- KCQE.EXE
- KXTWVGJ.EXE
- LWGL.EXE
- MCKE.EXE
- MEZEFW.EXE
- NAUH.EXE
- OUWTLS.EXE
- OZPMF.EXE
- PBWGJ.EXE
- QUXIV.EXE
- RAMFP.EXE
- RDMV.EXE
- REMZZMG.EXE
- RGCLBS.EXE
- SOZAM.EXE
- SUBWIKHY.EXE
- SXGA.EXE
- TQXVX.EXE
- UTYMC.EXE
- VFUFX.EXE
- VMKIW.EXE
- WOYXNN.EXE
- XDDJ.EXE
- YBVCW.EXE
- ZBEX.EXE
- ZEXCUO.EXE
- YMIKZQH.EXE
- NLKW.EXE
- EMEL.EXE
- WNDRZRQH.EXE
- MYKQFG.EXE
- RXMS.EXE
- WDGO.EXE
- KAODYB.EXE
- LWAUCFQ.EXE
- GMJPRXO.EXE
- BSSL.EXE
- CQCBERKW.EXE
- HAXDIN.EXE
- YXGGMROL.EXE
- VXVHL.EXE
- GBHM.EXE
- APUJUR.EXE
- TTJUMDT.EXE
- BFMWGY.EXE
- CSIYZQ.EXE
- VOGXCVG.EXE
- GINLDRM.EXE
- KWPTYIY.EXE
- MPPW.EXE
- MRSEN.EXE
- PCGGX.EXE
- PHAGF.EXE
- YOEWFIV.EXE
- SGJNKVX.EXE
- TAPD.EXE
- TQVIU.EXE
- XQSO.EXE
- NFDEUJG.EXE
- IURKQ.EXE
- KNHBC.EXE
- UUTCQVO.EXE
- HABOQRBW.EXE
- SIXWVM.EXE
- METROPOSTAL[1].EXE
- 48284426.EXE
- 15194448.EXE
- AUTORUNME.EXE
- 44361098.EXE
- WINLOGIN.EXE
- PANDA-DB.EXE
- NORTON-DB.EXE
- IEXPLORER.EXE
- LAN.EXE
- 71241737.SVD
Filesizes
The following file size has been seen:
- 10,240 bytes
- 125,440 bytes
- 46,080 bytes
- 89,088 bytes
- 131,072 bytes
- 48,128 bytes
- 87,040 bytes
- 502,272 bytes
- 326,656 bytes
File Type
The filename IEXPLORE.EXE refers to many versions of an executable program.
File Activity
One or more files with the name IEXPLORE.EXE creates, deletes, copies or moves the following files and folders:
- Opens/modifes c:\autoexec.bat
- Creates c:\yyutnu.exe
- Copies filec:\yyutnu.exe to c:\lsass.exe
- Creates c:\yyutnu.exe
- Creates c:\lsass.exe
- Creates c:\docume~1\user\locals~1\temp\bd56_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\1BD6F.dmp
- Creates c:\docume~1\user\locals~1\temp\c1c2_appcompat.txt
- Creates c:\docume~1\user\locals~1\temp\1D01C.dmp
- Creates c:\3801091.bat
- Deletes c:\jbmiye.exe
- Deletes c:\3801091.bat
- Copies filec:\windows\system32\drivers\beep.sys to c:\docume~1\user\locals~1\temp\31.tmp
- Creates c:\windows\system32\drivers\beep.sys
- Copies filec:\docume~1\user\locals~1\temp\31.tmp to c:\windows\system32\drivers\beep.sys
- Deletes c:\docume~1\user\locals~1\temp\31.tmp
- Copies filec:\windows\system32\drivers\null.sys to c:\docume~1\user\locals~1\temp\36.tmp
- Creates c:\windows\system32\drivers\null.sys
- Copies filec:\docume~1\user\locals~1\temp\36.tmp to c:\windows\system32\drivers\null.sys
- Deletes c:\docume~1\user\locals~1\temp\36.tmp
- Creates c:\windows\system32\drivers\glaide32.sys
- Deletes c:\lbgbwdd.exe
- Moves c:\lbgbwdd.exe to c:\docume~1\user\locals~1\temp\3C.tmp
Network Activity
One or more files with the name IEXPLORE.EXE performs the following network events:
- DNS Lookup94.54.11.148 94.54.11.148
- DNS Lookup69.120.174.227 69.120.174.227
- DNS Lookup82.241.222.28 82.241.222.28
- DNS Lookup77.239.49.45 77.239.49.45
- DNS Lookup190.79.167.55 190.79.167.55
- DNS Lookup74.210.52.96 74.210.52.96
- DNS Lookup85.255.181.33 85.255.181.33
- DNS Lookup222.116.192.164 222.116.192.164
- DNS Lookup24.72.116.182 24.72.116.182
- DNS Lookup89.137.103.244 89.137.103.244
- DNS Lookup89.134.255.50 89.134.255.50
- DNS Lookup99.227.101.59 99.227.101.59
- DNS Lookup122.43.123.89 122.43.123.89
- DNS Lookup76.73.140.210 76.73.140.210
- DNS Lookup190.37.32.47 190.37.32.47
- DNS Lookup83.80.220.222 83.80.220.222
- DNS Lookup89.136.51.138 89.136.51.138
- DNS Lookup95.95.210.253 95.95.210.253
- DNS Lookup212.186.51.220 212.186.51.220
- DNS Lookup186.83.167.66 186.83.167.66
- DNS Lookup71.199.166.160 71.199.166.160
- DNS Lookup217.52.75.232 217.52.75.232
- DNS Lookup200.116.31.69 200.116.31.69
- DNS Lookup72.39.246.114 72.39.246.114
- DNS Lookup82.231.119.31 82.231.119.31
- DNS Lookup190.229.3.219 190.229.3.219
- DNS Lookup89.41.14.35 89.41.14.35
- DNS Lookup88.213.204.73 88.213.204.73
- DNS Lookup124.125.159.250 124.125.159.250
- DNS Lookup201.27.115.214 201.27.115.214
- DNS Lookup59.27.231.244 59.27.231.244
- DNS Lookup94.54.223.108 94.54.223.108
- DNS Lookup84.201.203.233 84.201.203.233
- DNS Lookup190.84.96.72 190.84.96.72
- DNS Lookup123.238.23.17 123.238.23.17
- DNS Lookup81.215.192.60 81.215.192.60
- DNS Lookup84.127.209.221 84.127.209.221
- DNS Lookup122.40.5.18 122.40.5.18
- DNS Lookup41.201.58.5 41.201.58.5
- DNS Lookup80.167.201.12 80.167.201.12
- DNS Lookup121.150.124.215 121.150.124.215
- DNS Lookup211.238.94.245 211.238.94.245
- DNS Lookup80.193.159.169 80.193.159.169
- DNS Lookup190.39.67.38 190.39.67.38
- DNS Lookup77.124.81.39 77.124.81.39
- DNS Lookup94.21.45.140 94.21.45.140
- DNS Lookup201.37.9.192 201.37.9.192
- DNS Lookup190.49.54.66 190.49.54.66
- DNS Lookup89.137.155.183 89.137.155.183
- DNS Lookup71.80.203.21 71.80.203.21
Website Activity
One or more files with the name IEXPLORE.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- cgymwmlcaa .com / progs / jokkl / eoooocccpd .php?adv=adv740
- cgymwmlcaa .com / progs / jokkl / bxyyyyl .php
- cgymwmlcaa .com / progs / jokkl / liivvwf .php
- cgymwmlcaa .com / progs / jokkl / aqmznana .php
- cgymwmlcaa .com / progs / jokkl / dzzaaanxkx .php
- cgymwmlcaa .com / progs / jokkl / vrrsfssgt .php
- cgymwmlcaa .com / progs / jokkl / qmzhr .php
- cgymwmlcaa .com / progs / jokkl / cclmmmzmna
- cgymwmlcaa .com / progs / jokkl / hhrrre .php?adv=adv740&code1=LUK0&code2=2805&id=1556418453&p=0
- Port 80 IP:195.2.253.247
- TCP:94.54.11.148:3128 Port:20
- TCP:82.241.222.28:3128 Port:20
- TCP:69.120.174.227:3128 Port:20
- TCP:190.79.167.55:3128 Port:21
- TCP:74.210.52.96:3128 Port:21
- TCP:85.255.181.33:3128 Port:21
- TCP:77.239.49.45:3128 Port:19
- TCP:89.137.103.244:3128 Port:20
- TCP:95.76.54.142:3128 Port:20
- TCP:83.80.220.222:3128 Port:20
- TCP:99.227.101.59:3128 Port:20
- TCP:124.125.159.250:3128 Port:20
- TCP:76.73.140.210:3128 Port:20
- TCP:222.116.192.164:3128 Port:21
- TCP:94.54.223.108:3128 Port:19
- TCP:59.27.231.244:3128 Port:21
- TCP:80.167.201.12:3128 Port:21
- TCP:72.39.246.114:3128 Port:19
- TCP:89.41.14.35:3128 Port:20
- TCP:186.83.167.66:3128 Port:19
- TCP:24.72.116.182:3128 Port:20
- TCP:95.95.210.253:3128 Port:20
- TCP:71.199.166.160:3128 Port:20
- TCP:77.239.49.45:3128 Port:20
- TCP:89.136.51.138:3128 Port:20
- TCP:84.201.203.233:3128 Port:20
- TCP:212.186.51.220:3128 Port:20
- TCP:82.241.222.28:3128 Port:20
- TCP:190.37.32.47:3128 Port:21
- TCP:122.40.5.18:3128 Port:21
- TCP:84.127.209.221:3128 Port:21
- TCP:123.238.23.17:3128 Port:21
- TCP:88.213.204.73:3128 Port:21
- TCP:201.27.115.214:3128 Port:21
- TCP:81.215.192.60:3128 Port:21
- TCP:190.84.96.72:3128 Port:20
- TCP:94.54.11.148:3128 Port:20
- TCP:121.150.124.215:3128 Port:21
- TCP:200.116.31.69:3128 Port:19
- TCP:217.52.75.232:3128 Port:20
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.