File Investigation Report
WEBSOFTCODECDRIVERN[n].EXEMalware Dropper
Your PC may be infected. The presence of a file called WEBSOFTCODECDRIVERN[n].EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including WEBSOFTCODECDRIVERN[n].EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malware Dropper
- Cloaked Malware
- Malware Downloader
File Behavior
WEBSOFTCODECDRIVERN[n].EXE has been seen to perform the following behavior:
- Executes a Process
- Copies files
- Registers a Dynamic Link Library File
- Executes a process using Internet Explorer
- Enables an In Process Object/Server - Common with DLL Injections
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Creates new folders in the file system
WEBSOFTCODECDRIVERN[n].EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Downloaded from covert web sites without the user knowing
- Terminated as a Process
Country Of Origin
The filename WEBSOFTCODECDRIVERN[n].EXE was first seen on Jun 8 2008 in the following geographical regions of the Prevx community:
- SPAIN on Jun 8 2008
- The UNITED KINGDOM on Jun 8 2008
- The EUROPEAN UNION on Sep 28 2008
- FRANCE on Sep 29 2008
File Name Aliases
WEBSOFTCODECDRIVERN[n].EXE can also use the following file names:
- T13.PHP
- 01C921819D83F1C0_T13_PHP.PE
- WEBSOFTCODECDRIVERN.0629-20.EXE
- MEDIA.PHP
- WEBSOFTCODECDRIVERN[1].EXE
- 61672693.DAT
- WEBSOFTCODECDRIVERN.0628-08.EXE
- 68147679.DAT
Filesizes
The following file size has been seen:
- 373,922 bytes
- 290,628 bytes
- 126,976 bytes
- 34,816 bytes
- 53,248 bytes
- 310,401 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename WEBSOFTCODECDRIVERN[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name WEBSOFTCODECDRIVERN[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\cscript.exe
- Deletes c:\docume~1\user\locals~1\temp\nsw7.tmp
- Creates c:\docume~1\user\locals~1\temp\nsw9.tmp
- Deletes c:\docume~1\user\locals~1\temp\nsmB.tmp
- Creates c:\docume~1\user\locals~1\temp\nsmb.tmp\blowfish_d.dll
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\onfwbsak.dll
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\dfmlxbpkqfv.dll
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\efpe.exe
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\fbxrqtwn.exe
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\peltodgx.dll
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\install.bat
- Creates c:\docume~1\user\locals~1\temp\ac8zt2\rwlfsdmk.dll
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\dfmlxbpkqfv.dll
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\efpe.exe
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\fbxrqtwn.exe
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\install.bat
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\onfwbsak.dll
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\peltodgx.dll
- Deletes c:\docume~1\user\locals~1\temp\ac8zt2\rwlfsdmk.dll
- Creates c:\docume~1\user\locals~1\temp\nsmb.tmp\System.dll
- Deletes c:\docume~1\user\locals~1\temp\nsx24.tmp
- Creates c:\docume~1\user\locals~1\temp\nsx24.tmp
- Deletes c:\docume~1\user\locals~1\temp\nsmb.tmp\blowfish_d.dll
- Deletes c:\docume~1\user\locals~1\temp\nsmb.tmp\System.dll
- Creates c:\windows\cscript.exe
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\efpe.exe to c:\windows\efpe.exe
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\onfwbsak.dll to c:\windows\onfwbsak.dll
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\fbxrqtwn.exe to c:\windows\fbxrqtwn.exe
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\dfmlxbpkqfv.dll to c:\windows\dfmlxbpkqfv.dll
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\peltodgx.dll to c:\windows\peltodgx.dll
- Copies filec:\docume~1\user\locals~1\temp\ac8zt2\rwlfsdmk.dll to c:\windows\rwlfsdmk.dll
- Deletes c:\docume~1\user\locals~1\temp\NSX24T~1.BA
Registry Activity
One or more files with the name WEBSOFTCODECDRIVERN[n].EXE creates or modifies the following registry keys and values:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk {7E59A41A-CB42-44AA-B7B4-3BDA6314E410}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad onfwbsak {B6A3BB17-5E05-4A72-BA03-9CC602748E4E}