5.TMP, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Targeted Information Stealer
System Back Door
Cloaked Malware
Malicious Software
Malware Dropper

File Behavior

5.TMP has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Disables the built in Windows File Protection System
This process creates other processes on disk
This Process Deletes Other Processes From Disk
Writes to another Process's Virtual Memory (Process Hijacking)
Copies files
Injects code into other processes
Executes a Process
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Visits web sites on your PC without you knowing

5.TMP has been the subject of the following behavior:

Executed from Temporary Folders
Executed as a Process
Terminated as a Process
Created as a process on disk
Registered as a Dynamic Link Library File
Created as a new Background Service on the machine
Loaded and Executed as a System Driver File
Has code inserted into its Virtual Memory space by other programs
Added as a Registry auto start to load Program on Boot up
Copied to multiple locations on the system
Deleted as a process from disk

Country Of Origin

The filename 5.TMP was first seen on Jun 20 2007 in the following geographical regions of the Webroot community:

The United States on Jun 20 2007
Malaysia on Jun 25 2007
Poland on Jul 19 2007
Europe on Mar 13 2008
Spain on Mar 13 2008
Argentina on Apr 21 2010
The United Kingdom on Apr 21 2010
Mexico on Jun 6 2010
Turkey on Apr 26 2012

File Name Aliases

5.TMP can also use the following file names:

WIND32.EXE
N61[1].EXE
8.TMP
D.TMP
2.TMP
1.TMP
C.TMP
6.TMP
3.TMP
4.TMP
7.TMP
F.TMP
9.TMP
A.TMP
1F.TMP
23.TMP
27.TMP
28.TMP
29.TMP
2B.TMP
36.TMP
37.TMP
68.TMP
FB.TMP
13.TMP
3E.TMP
48.TMP
16.TMP
FE.TMP
A3.TMP
18.TMP
1D.TMP
12.TMP
1B.TMP
14.TMP
1C.TMP
10.TMP
11.TMP
34.TMP
15.TMP
AA.TMP
B8.TMP
41.TMP
40.TMP
22.TMP
100C.TMP
30F8.TMP
215.TMP
120.TMP
3A8.TMP
12E.TMP
7B5.TMP
848C.TMP
8491.TMP
465.TMP
91BE70EE.EXE

Filesizes

The following file size has been seen:

278,432 bytes
119,458 bytes
40,960 bytes
26,112 bytes
30,720 bytes
87,040 bytes
16,336 bytes
479,232 bytes

File Type

The filename 5.TMP is used by multiple object types including executable programs,Dynamic Link LIbraries,objects.

File Activity

One or more files with the name 5.TMP creates, deletes, copies or moves the following files and folders:

Deletes c:\windows\system32\wind32.exe
Opens/modifes c:\autoexec.bat
Deletes c:\windows\system32\dllgh8jkd1q8.exe
Deletes c:\docume~1\user\locals~1\temp\1.dll
Deletes c:\windows\system32\dllgh8jkd1q1.exe
Copies filec:\docume~1\user\locals~1\temp\1.dll to c:\windows\system32\dllgh8jkd1q1.exe
Deletes c:\docume~1\user\locals~1\temp\2.dll
Deletes c:\windows\system32\dllgh8jkd1q2.exe
Copies filec:\docume~1\user\locals~1\temp\2.dll to c:\windows\system32\dllgh8jkd1q2.exe
Deletes c:\docume~1\user\locals~1\temp\5.dll
Deletes c:\windows\system32\dllgh8jkd1q5.exe
Copies filec:\docume~1\user\locals~1\temp\5.dll to c:\windows\system32\dllgh8jkd1q5.exe
Deletes c:\docume~1\user\locals~1\temp\6.dll
Deletes c:\windows\system32\dllgh8jkd1q6.exe
Copies filec:\docume~1\user\locals~1\temp\6.dll to c:\windows\system32\dllgh8jkd1q6.exe
Deletes c:\docume~1\user\locals~1\temp\7.dll
Deletes c:\windows\system32\dllgh8jkd1q7.exe
Copies filec:\docume~1\user\locals~1\temp\7.dll to c:\windows\system32\dllgh8jkd1q7.exe
Copies filec:\windows\system32\dllgh8jkd1q2.exe to c:\windows\xpupdate.exe
Deletes c:\docume~1\user\locals~1\temp\v3xd1.g22
Deletes c:\windows\system32\vedxga4me1.exe
Copies filec:\docume~1\user\locals~1\temp\v3xd1.g22 to c:\windows\system32\vedxga4me1.exe
Deletes c:\docume~1\user\locals~1\temp\v5xd2.g3a
Deletes c:\windows\system32\vedxga3me2.exe
Copies filec:\docume~1\user\locals~1\temp\v5xd2.g3a to c:\windows\system32\vedxga3me2.exe
Deletes c:\docume~1\user\locals~1\temp\v4xd3.ga2
Deletes c:\windows\system32\vedxga5me3.exe
Copies filec:\docume~1\user\locals~1\temp\v4xd3.ga2 to c:\windows\system32\vedxga5me3.exe
Deletes c:\docume~1\user\locals~1\temp\v5xd4.ga2
Deletes c:\windows\system32\vedxg6ame4.exe
Copies filec:\docume~1\user\locals~1\temp\v5xd4.ga2 to c:\windows\system32\vedxg6ame4.exe
Deletes c:\docume~1\user\locals~1\temp\v4xd6.gam
Deletes c:\windows\system32\vedxga8me6.exe
Copies filec:\docume~1\user\locals~1\temp\v4xd6.gam to c:\windows\system32\vedxga8me6.exe
Deletes c:\docume~1\user\locals~1\temp\vx1dt1.gam
Deletes c:\windows\system32\vedxga1me4t1.exe
Copies filec:\docume~1\user\locals~1\temp\vx1dt1.gam to c:\windows\system32\vedxga1me4t1.exe
Deletes c:\docume~1\user\locals~1\temp\vx3dt2.gam
Deletes c:\windows\system32\vedxg4am1et2.exe
Copies filec:\docume~1\user\locals~1\temp\vx3dt2.gam to c:\windows\system32\vedxg4am1et2.exe
Deletes c:\docume~1\user\locals~1\temp\vx1dt3.gam
Deletes c:\windows\system32\vedxg3am1et3.exe
Copies filec:\docume~1\user\locals~1\temp\vx1dt3.gam to c:\windows\system32\vedxg3am1et3.exe
Deletes c:\docume~1\user\locals~1\temp\v6xdt4.gam
Deletes c:\windows\system32\vedxga4m1et4.exe
Copies filec:\docume~1\user\locals~1\temp\v6xdt4.gam to c:\windows\system32\vedxga4m1et4.exe
Deletes c:\windows\system32\maxpaynowti1.exe
Copies filec:\windows\system32\dllgh8jkd1q5.exe to c:\windows\system32\maxpaynowti1.exe
Deletes c:\docume~1\user\locals~1\temp\maxpaynowti.gam
Deletes c:\windows\system32\maxpaynowti.exe

Website Activity

One or more files with the name 5.TMP interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

try-count .net / adv / 167 / adload .php?a1=United States&a2=Type of Processor: PENTIUM PRO or PENTIUM II / III&a3=Windows version is 5 .1&a4=Build: 2600, Platform ID: 2&a5=notoutpost&table=adv167
try-count .net / qwertyuiyw12ertyuytre / adv167 .php?adv=167&code1=INLF&code2=2133&code3=91D78E218F063!HA
TCP:127.0.0.1:1075 Port:19
Port 80 IP:77.91.229.38
Port 80 IP:69.50.175.181
Port 80 IP:85.255.120.10

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

5.TMP

Free PC Cleanup from Webroot