File Investigation Report
FOOL0.DLL
RootkitPC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove FOOL0.DLL, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The filename is associated with the malware groups:
- Rootkit
- Cloaked Malware
- Malicious Software
File Behavior
FOOL0.DLL has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- The Process is polymorphic and can change its structure
- Copies files
- This Process Deletes Other Processes From Disk
- Executes a Process
- This process creates other processes on disk
- Found on infected systems and resists interrogation by security products
FOOL0.DLL has been the subject of the following behavior:
- Deleted as a process from disk
- Created as a process on disk
- The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Registered as a Dynamic Link Library File
- Executed as a Process
Country Of Origin
The filename FOOL0.DLL was first seen on Nov 19 2007 in the following geographical regions of the Prevx community:
- Spain on Nov 19 2007
- Korea, Republic of on Nov 19 2007
- Czech Republic on Feb 13 2008
- Romania on Jul 21 2008
- on Aug 28 2008
- Italy on Aug 28 2008
- Uruguay on Aug 29 2008
- Hong Kong on Sep 9 2008
- Vietnam on Sep 14 2008
File Name Aliases
FOOL0.DLL can also use the following file names:
- FOOL3.DLL
- FOOL4.DLL
- FOOL1.DLL
- 82476207.DLL
- 35305105.DLL
- 12423028.DLL
Filesizes
The following file size has been seen:
- 44,861 bytes
- 105,984 bytes
- 113,152 bytes
- 108,032 bytes
- 45,500 bytes
- 51,200 bytes
File Type
The filename FOOL0.DLL is used by multiple object types including Dynamic Link LIbraries,objects.
File Activity
One or more files with the name FOOL0.DLL creates, deletes, copies or moves the following files and folders:
- Deletes c:\docume~1\user\locals~1\temp\ll.rar
- Opens/modifes c:\autoexec.bat
- Deletes c:\windows\system32\ddr.exe
- Creates c:\windows\system32\ddr.exe
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\ckvo.exe
- Copies filec:\windows\system32\ddr.exe to c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo0.dll
- Creates c:\windows\system32\ckvo0.dll
- Moves c:\docume~1\user\locals~1\temp\ll.exe to c:\docume~1\user\locals~1\temp\tru11.tmp
- Creates c:\windows\hg.exe
- Deletes c:\ph.co
- Copies filec:\windows\system32\ckvo.exe to c:\ph.co
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\ph.co
- Copies filec:\windows\system32\ckvo.exe to d:\ph.co
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\windows\hg.exe
- Deletes c:\6qaiu.co
- Copies filec:\windows\system32\kxvo.exe to c:\6qaiu.co
- Deletes d:\6qaiu.co
- Copies filec:\windows\system32\kxvo.exe to d:\6qaiu.co
- Deletes c:\docume~1\user\locals~1\temp\help1.rar
- Creates c:\windows\system32\help.exe
- Deletes c:\windows\system32\kxvo.exe
- Copies filec:\windows\hg.exe to c:\windows\system32\kxvo.exe
- Deletes c:\windows\system32\ieso0.dll
- Creates c:\windows\system32\ieso0.dll
- Deletes c:\windows\system32\fool0.dll
- Creates c:\windows\system32\fool0.dll
- Creates c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\help.exe
- Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo1.dll
- Creates c:\windows\system32\ckvo1.dll
Website Activity
One or more files with the name FOOL0.DLL interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1111 Port:17
- Port 80 IP:60.169.0.152
- TCP:127.0.0.1:1113 Port:17
- Port 80 IP:60.169.1.92
- TCP:127.0.0.1:1116 Port:17
- TCP:127.0.0.1:1121 Port:17
- TCP:127.0.0.1:1124 Port:17
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.