WIN7.EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

Cloaked Malware
Malicious Software

File Behavior

WIN7.EXE has been seen to perform the following behavior:

Associated with, or similar to the ZEUS Internet and Online Banking Trojan
Executes a Process
Injects code into other processes
Copies files
Performs DNS look ups to resolve URL IP addresses
This process creates other processes on disk
Downloads program file(s) and other content from the web
Uses Instant Messaging to communicate without the user's knowledge
Uses embeded Instant Message Channel Settings
Found on infected systems and resists interrogation by security products
Modifies System Runtime Policies to limit system usability
Adds a Registry Key (RUN) to auto start Programs on system start up
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Writes to another Process's Virtual Memory (Process Hijacking)
Executes Processes stored in Temporary Folders
This Process Deletes Other Processes From Disk
Can communicate with other computer systems using HTTP protocols
The Process is packed and/or encrypted using a software packing process
Modifies Windows Initialization And System Settings Used On Start up
Adds a Registry Key (EXPLORER) to auto start Programs on system start Boot up
Enables an In Process Object/Server - Common with DLL Injections
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Registers a Dynamic Link Library File
Registers a Windows APPINIT DLL To be loaded in all processes
Creates a new Background Service on the machine
This Process sends MIME Email
Hijacks your email account which could allow email to be sent in your name

WIN7.EXE has been the subject of the following behavior:

Executed as a Process
Copied to multiple locations on the system
Created as a process on disk
Added as a Registry auto start to load Program on Boot up
Has code inserted into its Virtual Memory space by other programs
Executed from Temporary Folders
Deleted as a process from disk

Country Of Origin

The filename WIN7.EXE was first seen on Aug 30 2007 in the following geographical regions of the Webroot community:

Spain on Aug 30 2007
Netherlands on Aug 30 2007
Canada on Jun 13 2008
Russian Federation on Jan 24 2010
Bulgaria on Jan 24 2010
Mexico on Jan 27 2010
Sweden on Jul 13 2010
The United States on May 14 2012

File Name Aliases

WIN7.EXE can also use the following file names:

ERASEME_54604.EXE
ERASEME_30447.EXE
ERASEME_82466.EXE
ERASEME_54103.EXE
ERASEME_15223.EXE
ERASEME_21873.EXE
ERASEME_48234.EXE
ERASEME_01023.EXE
ERASEME_53506.EXE
ERASEME_34038.EXE
ERASEME_61776.EXE
ERASEME_00860.EXE
ERASEME_11575.EXE
ERASEME_51474.EXE
ERASEME_25465.EXE
WIN7 .EXE
TSA.EXE
ERASEME_84700.EXE
ERASEME_28346.EXE
ERASEME_70871.EXE
ERASEME_07455.EXE
ERASEME_57445.EXE
ERASEME_70451.EXE
ERASEME_06727.EXE
ERASEME_03216.EXE
ERASEME_35685.EXE
ERASEME_61181.EXE
TSA[1].EXE
WIN10.EXE
WIN11.EXE
WIN29.EXE
WIN52.EXE
WIN6.EXE
WIN16F.EXE
WIN11_1.EXE
WIN18.EXE
WIN1D.EXE
QJHINS.EXE
64.SCR
6D.TMP
80.SCR
76.SCR
092303 (11).EXE
1A1.TMP
23512889.SCR

Filesizes

The following file size has been seen:

10,000,000 bytes
41,472 bytes
40,960 bytes
12,039 bytes
26,112 bytes
2,580,949 bytes
118,272 bytes

File Type

The filename WIN7.EXE is used by multiple object types including objects,executable programs.

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

WIN7.EXE