PRODUCT.HTM.PIF (Derivative 1688581085), Prevx

Associated Malware Groups

The filename is associated with the malware groups:

Cloaked Malware
Malicious Software
Worm

File Behavior

PRODUCT.HTM.PIF has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Writes to another Process's Virtual Memory (Process Hijacking)
Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
Disables the Notification Balloon for the Windows Security Center
This process creates other processes on disk
Adds a Registry Key (RUN) to auto start Programs on system start up
Disables the Windows Security Center Service
Executes a Process
This Process Deletes Other Processes From Disk
Sends email using SMTP protocols
Can communicate with other computer systems using HTTP protocols
Registers a Dynamic Link Library File
Copies files
Changes the Windows Security Center to stop Firewall status alerts from being displayed
Changes the Windows Security Center to stop Firewall override alerts from being displayed
Creates a new Background Service on the machine
Injects code into other processes
Performs DNS look ups to resolve URL IP addresses
Found on infected systems and resists interrogation by security products
Ability to execute files automatically on your PC
Disables Windows Automatic Updates including Security Updates and Patches
Modifies Windows Security Policies to restrict/expand User Privileges on the machine
Adds a Link in the Start Menu
Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
Creates new folders on the system
Sets processes to start during user logon
Changes the Windows Security Center to stop Antivirus status alerts from being displayed
Changes the Windows Security Center to stop the Firewall from alerting to a new program trying to access the Internet
Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
Makes outbound connections to other computers using NETBIOSOUT protocols
Loads and Executes a System Driver File
Terminates Processes
Creates a TCP port which listens and is available for communication initiated by other computers
Tries to change the registry settings of Prevx security products
Executes Processes stored in Temporary Folders
Enables Access to the Remote Registry Service Within Windows
Can Send email using SMTP protocols
This Process sends MIME Email
This Process can access Web Mail Servers

PRODUCT.HTM.PIF has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Deleted as a process from disk
Terminated as a Process
Registered as a Dynamic Link Library File
Copied to multiple locations on the system
Added as a Link in the Start Menu

Country Of Origin

The filename PRODUCT.HTM.PIF was first seen on May 3 2007 in the following geographical regions of the Webroot community:

Ireland on May 3 2007
on May 3 2007
Spain on May 8 2007
Belgium on Jun 24 2007
Iran, Islamic Republic of on Nov 11 2007
Italy on Apr 19 2010
South Africa on Aug 26 2010
The United Kingdom on Aug 26 2010
Turkey on May 24 2012

File Name Aliases

PRODUCT.HTM.PIF can also use the following file names:

SERVICES.EXE
DRWEB.EXE
WIN.EXE
TASKMGR.EXE
SMSS.EXE
SYSTEM.EXE
CSRSS.EXE
SPOOLSV.EXE
HEXDUMP.EXE
INSTALL.EXE
LOGIN.EXE
WINAMP.EXE
NVSVC32.EXE
MDM.EXE
WINLOGON.EXE
SYSEDIT.EXE
IEXPLARER.EXE
MSMGM.EXE
DEBUG.EXE
AVP.EXE
SVCHOST.EXE
LSASS.EXE
USER.EXE
AVP32.EXE
CMD.EXE
WIN32.EXE
TASKMGR .EXE
MSMGM .EXE
NVSVC32 .EXE
WINAMP .EXE
DRWEB .EXE
SETUP .EXE
CSRSS .EXE
SYSTEM .EXE
AVP .EXE
LOGIN .EXE
MDM .EXE
SMSS .EXE
WININST .EXE
AVP32 .EXE
TASKMGR .EXE
GDI32.EXE
SETUP.EXE
DEBUG .EXE
GDI32 .EXE
WIN32 .EXE
AVP .EXE
SVCHOST .EXE
SYSEDIT .EXE
SETUP .EXE
WININST.EXE
SYSMGM.EXE
AVP327 (1).EXE
AVP327.EXE
SETUP (1).EXE
SYSEDIT (1).EXE
SYSTEM (1).EXE
TASKMGR (1).EXE
TASKMGR2 (1).EXE
TASKMGR2.EXE
WIN16.EXE
WINAMP (1).EXE
SERVICES .EXE
KLAASIFULL.EXE
WINWORD.EXE
ADOBE GAMMA LOADER.COM
W3NETSKB.VXE
EMAIL-WORM.WIN32.NETSKY.EXE
MSG.PIF
JOKES.RTF.EXE
ATTACHMENT.RTF.EXE
STORY.EXE
I-WORM.MOODOWN.B.COM
NOTE.RTF.PIF
WORM.SOMEFOOL.GEN-2.SCR
WINXP_CRACK.EXE
STORY.SCR
ATTACHMENT.RTF.SCR
ABOUTYOU.COM
BILL.SCR
CONCERT.DOC.EXE
CONCERT.DOC.PIF
DISCO.DOC.SCR
DISCO.PIF
DISCO.TXT.EXE
DOC.RTF.PIF
DOC.SCR
DOCUMENT.TXT.COM
FINAL.PIF
FOUND.COM
FOUND.DOC.COM
FRIEND.DOC.COM
INFORMATION.EXE
LOCATION.PIF
LOCATION.RTF.PIF
LOCATION.RTF.SCR
MAILS.PIF
MAILS.RTF.COM
MAILS.SCR
ME.TXT.EXE
NOMONEY.HTM.PIF
NOMONEY.PIF
NOMONEY.TXT.EXE
NOTE.TXT.COM
OBJECT.DOC.SCR
OBJECT.EXE
OBJECT.PIF
OBJECT.RTF.EXE
PART2.PIF
PARTY.PIF
POSTING.EXE
POSTING.PIF
POSTING.SCR
PS.DOC.COM
PS.DOC.PIF
PS.TXT.SCR
RANKING.COM
RANKING.TXT.PIF
RANKING.TXT.SCR
RELEASE.PIF
STORY.COM
STORY.RTF.EXE
STUFF.DOC.PIF
STUFF.PIF
TALK.COM
TEXTFILE.PIF
TEXTFILE.SCR
TOPSELLER.EXE
TOPSELLER.PIF
WEBSITE.EXE
WEBSITE.PIF
W32-NETSKY-B.EXE
FND0.NFI
MY DOCUMENTS.EXE
WINDOWS.EXE
ESET.EXE
FONTS.EXE
SAMAN.SAMAN-092E8222D.EXE
ROCKETDOCK.EXE
TRAYLAYOUT.EXE
SINAPARDAZESHSOFT.EXE
USERDATA.EXE
INTERNET EXPLORER.EXE
ONLINE SERVICES.EXE
MOVIE MAKER.EXE
MY PICTURES.EXE
PROGRAM FILES.EXE
ADOBE.EXE
DOCUMENTS AND SETTINGS.EXE
BRICKS OF ATLANTIS.EXE
BUNNY BOUNCE DELUXE.EXE
BURGER ISLAND.EXE
BURGER RUSH.EXE
CHARM TALE.EXE
CHICKEN ATTACK.EXE
CHUZZLE DELUXE.EXE
CLIP.EXE
COSMIC STACKER.EXE
FUNNY GAMES (PART A).EXE
HAMSTERBALL.EXE
MAGIC ACADEMY.EXE
MAGUS - IN SEARCH OF ADVENTURE.EXE
MAHJONG.EXE
MARIO FOREVER.EXE
MIRROR MAGIC DELUXE.EXE
MUSIC.EXE
NEW FOLDER (nn).EXE
NEW FOLDER (1).EXE
NEW FOLDER.EXE
SAIT.EXE
TAAVONI.EXE
TAHGHIGH.EXE
SAMPLE PICTURES.EXE
LANGUAGES.EXE
SAMPLE MUSIC.EXE
DESKTOP.EXE
C92R45AV.EXE
ALL USERS.WINDOWS.EXE
SINAPACK2005.EXE
ACROBAT 4.0.EXE
CMAP.EXE
RESOURCE.EXE
MY MUSIC.EXE
ALMOBIN.EXE
A PIRATE'S LEGEND.EXE
ABUNDANTE.EXE
ACROPOLIS.EXE
ADVENTURE BALL.EXE
ADVENTURE INLAY SAFARI EDITION.EXE
AIRSTRIKE3D.EXE
ALIEN SHOOTER.EXE
AMAZONIA.EXE
AQUAPARK.EXE
ASTROBATICS.EXE
ATLANTIS QUEST.EXE
ATLANTIS.EXE
BEETLE BOMP.EXE
BEJEWELED 2.EXE
BIG CITY ADVENTURE SAN FRANCISCO.EXE
BONNIE'S BOOKSTORE DELUXE.EXE
BOULDER DASH.EXE
CAKE MANIA.EXE
CHICKEN INVADERS 2.EXE
CRAZY EGGS.EXE
DELICIOUS DELUXE.EXE
DIGBY'S DONUTS.EXE
DINER DASH.EXE
DNA.EXE
DYNOMITE.EXE
FAIRIES.EXE
FAIRY TREASURE.EXE
FEEDINGFRENZY.EXE
FEVER FRENZY.EXE
FIZZBALL.EXE
FLOWER SHOP BIG CITY BREAK.EXE
FROGGY CASTLE 2 DELUXE.EXE
FUNKIBALL.EXE
GLINX.EXE
GOLD MINER JOE.EXE
HEAVY WEAPON.EXE
ICE CREAM TYCOON.EXE
ICYTOWER.EXE
INCADIA.EXE
INSANIQUARIUM.EXE
JEWELS OF CLEOPATRA.EXE
JURASSIC REALM.EXE
KASPAROV CHESSMATE.EXE
LEGO CHIC BOUTIQUE.EXE
P.EXE
TR.EXE
DC183.EXE
$RM38UJY.EXE
DC1299.EXE
GEB[1]

Filesizes

The following file size has been seen:

37,888 bytes
15,968 bytes
50,688 bytes
906,095 bytes
279,552 bytes
22,016 bytes
239,714 bytes

File Type

The filename PRODUCT.HTM.PIF refers to many versions of an executable program.

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

PRODUCT.HTM.PIF