FOOL0.DLL

Cloaked Malware

Free PC Cleanup from Webroot

Use Webroot SecureAnywhere to remove FOOL0.DLL.

"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User

Get Free PC Cleanup

Associated Malware Groups

The filename is associated with the malware groups:

Cloaked Malware
Malicious Software

File Behavior

FOOL0.DLL has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
The Process is polymorphic and can change its structure
Copies files
This Process Deletes Other Processes From Disk
Executes a Process
This process creates other processes on disk

FOOL0.DLL has been the subject of the following behavior:

Deleted as a process from disk
Created as a process on disk
The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Registered as a Dynamic Link Library File
Executed as a Process

Country Of Origin

The filename FOOL0.DLL was first seen on Nov 19 2007 in the following geographical regions of the Webroot community:

Spain on Nov 19 2007
Korea, Republic of on Nov 19 2007
Czech Republic on Feb 13 2008
Romania on Jul 21 2008
on Aug 28 2008
Italy on Aug 28 2008
Uruguay on Aug 29 2008
Hong Kong on Sep 9 2008
Iran, Islamic Republic of on Sep 14 2008
The United States on Jun 1 2011

File Name Aliases

FOOL0.DLL can also use the following file names:

FOOL3.DLL
FOOL4.DLL
FOOL1.DLL
82476207.DLL
35305105.DLL
12423028.DLL

Filesizes

The following file size has been seen:

44,861 bytes
105,984 bytes
113,152 bytes
99,328 bytes
45,500 bytes
51,200 bytes

File Type

The filename FOOL0.DLL is used by multiple object types including Dynamic Link LIbraries,objects.

File Activity

One or more files with the name FOOL0.DLL creates, deletes, copies or moves the following files and folders:

Deletes c:\docume~1\user\locals~1\temp\ll.rar
Opens/modifes c:\autoexec.bat
Deletes c:\windows\system32\ddr.exe
Creates c:\windows\system32\ddr.exe
Creates c:\windows\system32\drivers\klif.sys
Deletes c:\windows\system32\drivers\klif.sys
Deletes c:\windows\system32\ckvo.exe
Copies filec:\windows\system32\ddr.exe to c:\windows\system32\ckvo.exe
Deletes c:\windows\system32\ckvo0.dll
Creates c:\windows\system32\ckvo0.dll
Moves c:\docume~1\user\locals~1\temp\ll.exe to c:\docume~1\user\locals~1\temp\tru11.tmp
Creates c:\windows\hg.exe
Deletes c:\ph.co
Copies filec:\windows\system32\ckvo.exe to c:\ph.co
Deletes c:\autorun.in
Creates c:\autorun.in
Deletes d:\ph.co
Copies filec:\windows\system32\ckvo.exe to d:\ph.co
Deletes d:\autorun.in
Creates d:\autorun.in
Deletes c:\windows\hg.exe
Deletes c:\6qaiu.co
Copies filec:\windows\system32\kxvo.exe to c:\6qaiu.co
Deletes d:\6qaiu.co
Copies filec:\windows\system32\kxvo.exe to d:\6qaiu.co
Deletes c:\docume~1\user\locals~1\temp\help1.rar
Creates c:\windows\system32\help.exe
Deletes c:\windows\system32\kxvo.exe
Copies filec:\windows\hg.exe to c:\windows\system32\kxvo.exe
Deletes c:\windows\system32\ieso0.dll
Creates c:\windows\system32\ieso0.dll
Deletes c:\windows\system32\fool0.dll
Creates c:\windows\system32\fool0.dll
Creates c:\docume~1\user\locals~1\temp\help1.rar
Deletes c:\docume~1\user\locals~1\temp\help.exe
Creates c:\docume~1\user\locals~1\temp\help.exe
Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
Deletes c:\windows\system32\ckvo1.dll
Creates c:\windows\system32\ckvo1.dll

Website Activity

One or more files with the name FOOL0.DLL interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:127.0.0.1:1111 Port:17
Port 80 IP:60.169.0.152
TCP:127.0.0.1:1113 Port:17
Port 80 IP:60.169.1.92
TCP:127.0.0.1:1116 Port:17
TCP:127.0.0.1:1121 Port:17
TCP:127.0.0.1:1124 Port:17

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

Virus, Spyware & Malware Center »