Prevx Research Division
E-CARD.EXE
WormFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove E-CARD.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Worm
File Behavior
E-CARD.EXE has been seen to perform the following behavior:
- The Process is polymorphic and can change its structure
- Found on infected systems and resists interrogation by security products
- Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
- This process creates other processes on disk
- Executes Processes stored in Temporary Folders
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process Deletes Other Processes From Disk
- Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
- Can communicate with other computer systems using HTTP protocols
- Executes a Process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Sends email using SMTP protocols
- Reads your outlook address book
- This Process looks to see what security products and services are running on the system
- Sends mail without telling you
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Uses DNS to retrieve the IP address for web sites
- Uses reverse DNS to retrieve the host names on IP addresses
E-CARD.EXE has been the subject of the following behavior:
- Created as a process on disk
- Deleted as a process from disk
- Executed from Temporary Folders
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
- Copied to multiple locations on the system
- Created as a new Background Service on the machine
Country Of Origin
The filename E-CARD.EXE was first seen on Dec 5 2007 in the following geographical regions of the Webroot community:
- The United States on Dec 5 2007
- The United Kingdom on Dec 5 2007
- Spain on Feb 25 2009
- Vietnam on Jan 5 2012
Filesizes
The following file size has been seen:
- 218,624 bytes
- 299,008 bytes
- 2,294,160 bytes
File Type
The filename E-CARD.EXE refers to many versions of an executable program.
File Activity
One or more files with the name E-CARD.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\javafx.exe
- Deletes c:\windows\system32\javafx.exe
- Creates c:\windows\system32\netbeans.exe
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\pls26.tmp
- Deletes c:\docume~1\user\locals~1\temp\pls26.tmp
- Deletes c:\windows\system32\vatotosa.dll
- Deletes c:\windows\system32\lerajune.dll
- Deletes c:\windows\system32\wumugaka.dll
- Deletes c:\windows\system32\jipanidi.dll
Network Activity
One or more files with the name E-CARD.EXE performs the following network events:
- DNS Lookup72.233.89.199 www.whatismyip.com
- DNS Lookup193.0.0.135 whois.ripe.net
- DNS Lookup209.85.219.30 gmail-smtp-in.l.google.com
- DNS Lookup72.14.221.27 alt1.gmail-smtp-in.l.google.com
- DNS Lookup74.125.93.27 alt2.gmail-smtp-in.l.google.com
- DNS get host 87.115.78.65
- DNS name server5.12.43.103
Website Activity
One or more files with the name E-CARD.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Port 80 IP:72.233.89.199
- TCP:193.0.0.135:43 Port:14
- TCP:209.85.219.30:25 Port:18
- TCP:72.14.221.27:25 Port:17
- TCP:74.125.93.27:25 Port:18
- TCP:85.12.43.103:53 Port:5
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.