File Investigation Report
A1.BATCloaked Malware
Your PC may be infected. The presence of a file called A1.BAT is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including A1.BAT. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Cloaked Malware
File Behavior
A1.BAT has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Injects code into other processes
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Creates a new Background Service on the machine
- Disables safe mode on your PC
- Loads and Executes a System Driver File
A1.BAT has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Copied to multiple locations on the system
- Deleted as a process from disk
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Executed from Temporary Folders
Country Of Origin
The filename A1.BAT was first seen on Sep 11 2008 in the following geographical region of the Prevx community:
- SPAIN on Sep 11 2008
File Name Aliases
A1.BAT can also use the following file names:
- CKVO.EXE
- HELP.EXE
Filesizes
The following file size has been seen:
- 231,360 bytes
- 707,815 bytes
- 100,288 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename A1.BAT refers to many versions of an executable program.
File Activity
One or more files with the name A1.BAT creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo0.dll
- Creates c:\windows\system32\ckvo0.dll
- Deletes c:\a1.ba
- Copies filec:\windows\system32\ckvo.exe to c:\a1.ba
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\a1.ba
- Copies filec:\windows\system32\ckvo.exe to d:\a1.ba
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\docume~1\user\locals~1\temp\help.ex
- Deletes c:\1u0o8bnq.cm
- Copies filec:\windows\system32\ckvo.exe to c:\1u0o8bnq.cm
- Deletes d:\1u0o8bnq.cm
- Copies filec:\windows\system32\ckvo.exe to d:\1u0o8bnq.cm
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\help.exe
- Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
Registry Activity
One or more files with the name A1.BAT creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings GlobalUserOffline value:
- HKEY_CURRENT_USER\Software\user914\1214104697 1919251317 [REG_DWORD, value: 00000023]
- HKEY_CURRENT_USER\Software\user914\1214104697 -456464662 value:
- HKEY_CURRENT_USER\Software\user914\1214104697 1462786655 value:
- HKEY_CURRENT_USER\Software\user914\1214104697 -912929324 [REG_DWORD, value: 00000023]
- HKEY_CURRENT_USER\Software\user914\1214104697 1006321993 [REG_DWORD, value: 0000006F]
- HKEY_CURRENT_USER\Software\user914\1214104697 -1369393986
- HKEY_CURRENT_USER\Software\user914\1214104697 549857331
- HKEY_CURRENT_USER\Software\user914 u1_0 [REG_DWORD, value: CC96283A]
- HKEY_CURRENT_USER\Software\user914 u2_0 [REG_DWORD, value: 0000158D]
- HKEY_CURRENT_USER\Software\user914 u3_0 [REG_DWORD, value: 01036641]
- HKEY_CURRENT_USER\Software\user914 u4_0 value:
- HKEY_CURRENT_USER\Software\user914 u1_1 [REG_DWORD, value: 3C434D1C]
- HKEY_CURRENT_USER\Software\user914 u2_1 [REG_DWORD, value: 726566F8]
- HKEY_CURRENT_USER\Software\user914 u3_1 [REG_DWORD, value: 73661534]
- HKEY_CURRENT_USER\Software\user914 u4_1 [REG_DWORD, value: 72657375]
- HKEY_CURRENT_USER\Software\user914 u1_2 [REG_DWORD, value: A07CA2CF]
- HKEY_CURRENT_USER\Software\user914 u2_2 [REG_DWORD, value: E4CAF367]
- HKEY_CURRENT_USER\Software\user914 u3_2 [REG_DWORD, value: E5C980AB]
- HKEY_CURRENT_USER\Software\user914 u4_2 [REG_DWORD, value: E4CAE6EA]
- HKEY_CURRENT_USER\Software\user914 u1_3 [REG_DWORD, value: 40795A6F]
- HKEY_CURRENT_USER\Software\user914 u2_3 [REG_DWORD, value: 57304FD2]
- HKEY_CURRENT_USER\Software\user914 u3_3 [REG_DWORD, value: 56333C1E]
- HKEY_CURRENT_USER\Software\user914 u4_3 [REG_DWORD, value: 57305A5F]
- HKEY_CURRENT_USER\Software\user914 u1_4 [REG_DWORD, value: 2DE49F2D]
- HKEY_CURRENT_USER\Software\user914 u2_4 [REG_DWORD, value: C995D859]
- HKEY_CURRENT_USER\Software\user914 u3_4 [REG_DWORD, value: C896AB95]
- HKEY_CURRENT_USER\Software\user914 u4_4 [REG_DWORD, value: C995CDD4]
- HKEY_CURRENT_USER\Software\user914 u1_5 [REG_DWORD, value: 05C27D81]
- HKEY_CURRENT_USER\Software\user914 u2_5 [REG_DWORD, value: 3BFB54C4]
- HKEY_CURRENT_USER\Software\user914 u3_5 [REG_DWORD, value: 3AF82708]
- HKEY_CURRENT_USER\Software\user914 u4_5 [REG_DWORD, value: 3BFB4149]
- HKEY_CURRENT_USER\Software\user914 u1_6 [REG_DWORD, value: FAD02DE8]
- HKEY_CURRENT_USER\Software\user914 u2_6 [REG_DWORD, value: AE60A133]
- HKEY_CURRENT_USER\Software\user914 u3_6 [REG_DWORD, value: AF63D2FF]
- HKEY_CURRENT_USER\Software\user914 u4_6 [REG_DWORD, value: AE60B4BE]
- HKEY_CURRENT_USER\Software\user914 u1_7 [REG_DWORD, value: 5CD57A60]
- HKEY_CURRENT_USER\Software\user914 u2_7 [REG_DWORD, value: 20C63DBE]
- HKEY_CURRENT_USER\Software\user914 u3_7 [REG_DWORD, value: 21C54E72]
- HKEY_CURRENT_USER\Software\user914 u4_7 [REG_DWORD, value: 20C62833]
- HKEY_CURRENT_USER\Software\user914 u1_8 [REG_DWORD, value: 6A4E9A0D]
- HKEY_CURRENT_USER\Software\user914 u2_8 [REG_DWORD, value: 932B8E25]
- HKEY_CURRENT_USER\Software\user914 u3_8 [REG_DWORD, value: 9228FDE9]
- HKEY_CURRENT_USER\Software\user914 u4_8 [REG_DWORD, value: 932B9BA8]
- HKEY_CURRENT_USER\Software\user914 u1_9 [REG_DWORD, value: AE7D9A44]
- HKEY_CURRENT_USER\Software\user914 u2_9 [REG_DWORD, value: 05911A90]
- HKEY_CURRENT_USER\Software\user914 u3_9 [REG_DWORD, value: 0492695C]
- HKEY_CURRENT_USER\Software\user914 u4_9 [REG_DWORD, value: 05910F1D]
- HKEY_CURRENT_USER\Software\user914 u1_10 [REG_DWORD, value: C7CCC62F]
- HKEY_CURRENT_USER\Software\user914 u2_10 [REG_DWORD, value: 77F69DFA]
Website Activity
One or more files with the name A1.BAT interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1088 Port:17
- Port 80 IP:60.169.1.92
- TCP:127.0.0.1:1090 Port:17