WINDOWS.EXE, Prevx

Associated Malware Groups

The filename is associated with the malware groups:

Cloaked Malware
Malicious Software
Worm
Email Worm

File Behavior

WINDOWS.EXE has been seen to perform the following behavior:

Adds a Registry Key (RUN) to auto start Programs on system start up
Modifies System Runtime Policies to limit system usability
Adds a Registry Key (DXCOM) to auto start Programs on system start up
This process creates other processes on disk
Writes to another Process's Virtual Memory (Process Hijacking)
Executes a Process
This Process Deletes Other Processes From Disk
Injects code into other processes
Creates new folders on the system
Copies files
Can Send email using SMTP protocols
This Process sends MIME Email
This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
Enables an In Process Object/Server - Common with DLL Injections
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Uses DNS to retrieve the IP address for web sites
The Process is polymorphic and can change its structure
Creates system tray popups, messages, errors and security warnings
Found on infected systems and resists interrogation by security products
Uses low level functions to hide itself from the user and from system/security processes
Registers a Dynamic Link Library File
Performs DNS look ups to resolve URL IP addresses
The Process is packed and/or encrypted using a software packing process
Drops known malicious software during execution
Makes outbound connections to other computers using NETBIOSOUT protocols
Disables the Notification Balloon for the Windows Security Center
Disables Access to the Task Manager built into Windows
Disables Access to the Windows Registry Editior
Modifies Windows Security Policies to restrict/expand User Privileges on the machine
Adds products to the system registry
Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
Can communicate with other computer systems using HTTP protocols
Changes the Windows Security Center to stop Antivirus status alerts from being displayed
Changes the Windows Security Center to stop Firewall status alerts from being displayed
Changes the Windows Security Center to stop Firewall override alerts from being displayed
Changes the Windows Security Center to stop warnings from being displayed if automatic Windows Updates are not enabled
Modifies firewall settings, without user permission so it is not blocked from accessing the Internet
Disables safe mode on your PC
Creates a new Background Service on the machine

WINDOWS.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Executed as a Process
Added as a Registry Key (DXCOM) to auto start Programs on system start up
Has code inserted into its Virtual Memory space by other programs
Executed by Internet Explorer
Terminated as a Process
Deleted as a process from disk
Copied to multiple locations on the system
Registered as a Dynamic Link Library File
Created by processes which appear to be checking for interception by security products

Country Of Origin

The filename WINDOWS.EXE was first seen on May 17 2007 in the following geographical regions of the Webroot community:

Turkey on May 17 2007
The United States on May 17 2007
Netherlands on May 22 2007
Spain on Jul 31 2007
Jordan on Apr 21 2009
Europe on Apr 21 2009
The United Kingdom on Jan 2 2010
Germany on Feb 21 2010
Palestinian Territory on Jun 5 2010

File Name Aliases

WINDOWS.EXE can also use the following file names:

YENI KLASöR.EXE
BELGELER.EXE
BERTU BAS1LACAK FOTORAFLAR.EXE
MüZIK.EXE
RESIMLER.EXE
UPDATE.EXE
ABDULVAHIT HICAZ.EXE
DIVAN.EXE
KERKüK TüRKü.EXE
KERKüK URFA.EXE
SEGAH.EXE
TüRKIYEDEKI öRNEKLERI.EXE
MüZIIM.EXE
MED0H@.EXE
DENIZLER TüKENMEZ.EXE
MY PLAYLISTS.EXE
SAMPLE PLAYLISTS.EXE
SYNC PLAYLISTS.EXE
ÖRNEK MüZIK.EXE
ÖRNEK RESIMLER.EXE
TÜRKÇE MÜZ0K.EXE
YABANCI MÜZ0K.EXE
ANADOLU (ENSTRÜMANTEL).EXE
ERDAL ERZINCAN - KAYHAN KALHOR & - THE WIND [2007][ANGARALI][TURKSIPA].EXE
TÜRKÜLER SEVDAMIZ 2.EXE
ÇIçEKLER EKILIYOR.EXE
çöKERTME.EXE
GITAR-NEY DüET.EXE
IL IL TüRKüLER.EXE
AGRI.EXE
GHOST.BAT
SEMAHLAR.EXE
SUYA TURKU 1.EXE
ŞENOL.EXE
TRIO AKSAK - AZERI.EXE
AKSARAY.EXE
AMASYA.EXE
ANKARA.EXE
ANTALYA.EXE
ARDAHAN.EXE
ARTVIN.EXE
AYDIN.EXE
BALIKESIR.EXE
BARTIN.EXE
BATMAN.EXE
BAYBURT.EXE
BILECIK.EXE
BINGOL.EXE
BITLIS.EXE
BOLU.EXE
BURDUR.EXE
BURSA.EXE
CANAKKALE.EXE
CANKIRI.EXE
CORUM.EXE
DENIZLI.EXE
DIYARBAKIR.EXE
DUZCE.EXE
EDIRNE.EXE
ELAZIG.EXE
ERZINCAN.EXE
ERZURUM.EXE
ESKISEHIR.EXE
GAZIANTEP.EXE
GIRESUN.EXE
GUMUSHANE.EXE
HAKKARI.EXE
HATAY.EXE
ICEL.EXE
IGDIR.EXE
ISPARTA.EXE
ISTANBUL.EXE
IZMIR.EXE
KARABUK.EXE
KARAMAN.EXE
KARS.EXE
KASTAMONU.EXE
KAYSERI.EXE
KILIS.EXE
KIRIKKALE.EXE
KIRKLARELI.EXE
KIRSEHIR.EXE
KMARAS.EXE
WINDOWSXP.EXE
INTEL.EXE
SMARTMGR.EXE
KAV.EXE
CSRSS.EXE
برامج.EXE
ENRIQUE IGLESIAS.EXE
AKON.EXE
NEW FOLDER (n).EXE
TAMER 7OSSNY.EXE
شادي.EXE
مجوز.EXE
BPK.EXE
TEST (nnn).EXE
GANGSIR.CN (nn).EXE
KEYLOG.EXE
CDMON.EXE
YAHOO.EXE
XPT.EXE
XXX.EXE
ASF.EXE
SCHOSS.EXE
A7MED.EXE
WINSYS.EXE
HALO AIMBOT.EXE
WINWOAR.EXE
JICA.EXE
AGUSMUNSU.EXE
WESLEY.EXE
BENNETTON.EXE
SYSTEM.EXE
THEFORCEENGAGEMENT.EXE
MEK.EXE
GAMES.EXE
SVHOST.EXE
RECYCLER.EXE
SYSTEM VOLUME INFORMATION.EXE
ARCHIVED RECORDS.EXE
DOCUMENTS AND SETTINGS.EXE
PROGRAM FILES.EXE
KAGWANG.EXE
PERSONAL FILES.EXE
QUARANTINE.EXE
DEEPCHECKRESULTS.EXE
MINE.EXE
FM_STATIC-DEAR_DIARY-2009-MTD.EXE
SPONGEBOB_SQUAREPANTS-SPONGEBOBS_GREATEST_HITS[WWW.MP3BOO.COM].EXE
NEW FOLDER.EXE
FALLING UP- EXIT LIGHTS.EXE
CONFIG.MSI
DEEPCHECKRUN.EXE
DEEPCHECKWORK.EXE
GODEEPCHECK.EXE
MALWAREFILES.EXE
MBR.EXE
WORD SEARCH DELUXE.EXE
THE WONDERFUL WIZARD OF OZ.EXE
THE APPRENTICE LOS ANGELES.EXE
SPONGEBOB SQUAREPANTS DINER DASH.EXE
POPCAP GAMES.EXE
PLANTASIA.EXE
ORBITDOWNLOADER.EXE
NOKIA.EXE
IWIN.COM.EXE
GAMEHOUSE.EXE
FLOWER SHOP BIG CITY BREAK.EXE
FLIP WORDS 2.EXE
DINER DASH FLO ON THE GO.EXE
CINEMA TYCOON GOLD.EXE
CHICKEN CHASE.EXE
CHEAT ENGINE.EXE
ALAWAR.EXE
NV23962400.TMP.EXE
NV24042408.TMP.EXE
Музыкайф - все лучшие хиты 2008.EXE
CABB3.COM
REFLEX.EXE
валевская.EXE
королев.EXE
ненси.EXE
Новая папка.EXE
сборник.EXE
Тина Кароль.EXE
ASSETS.EXE
DATA.EXE
YöNETIMSEL ARAçLAR.EXE
FILES.EXE
اسماءنا.EXE
FADI.EXE
صوري محمد.EXE
FUTURE GAMES.EXE
AQUA BUBBLE 2.EXE
AVRIL.EXE
FREEDOM.EXE
FIFA98.EXE
SWASHBUCKLERS BLUE VS GREY.EXE
KING OF CLUBS.EXE
طرب.EXE
TAMER 3ASHOR.EXE
AZUMI.2.DEATH.EXE
SWSETUP.EXE
FUTUREGAMEZ.EXE
FAMILY.EXE
H_JESSME.EXE
MUSIC.EXE
NEW FOLDER (1).EXE
TAMER H.EXE
REMOVABLE DISK (G).EXE
MSOCACHE.EXE
MIX SONGS.EXE
SOFTWARE.EXE
WINDOWS LIVE MESSENGER KHALID EDITION V5.5 ARABIC.EXE
THUMBS.EXE
GOOD1 SONGS.EXE
PHOTOS.EXE
SAFARI.EXE
AMRICA.EXE
OWAIS.EXE
JIBRAN PICS.EXE
PICS.EXE
APRIL 2007.EXE
LAILA'S.EXE
LAILA.EXE
COMPUTER.EXE
TOTAL VIDEO CONVERTER.EXE
SOFTWARES.EXE
JIBRAN PICS 2.EXE
XPLAY MUSIC.EXE
NOTES.EXE
SMBUS.EXE
IDE.EXE
WINVISTA.EXE
SATA_IDE.EXE
SATARAID.EXE
RAIDTOOL.EXE
ETHERNET.EXE
NVIDIA AHCI.EXE
CREATIX TV-KAART.EXE
TOOLS.EXE
WALLPAPERS.EXE
ULEAD PHOTOIMPACT 12.EXE
UTILITIES.EXE
WEBSETUP.EXE
GERMAN.EXE
FRENCH.EXE
ENGLISH.EXE
SETUPDIR.EXE
SETUP.EXE
UPDATESERVICE.EXE
DOCUMENT.EXE
README.EXE
MANUAL.EXE
NERO BURNING ROM 8.EXE
SECURDISCVIEWER.EXE
REDIST.EXE
RECOVER.EXE
STUURPROGRAMMA'S.EXE
WINDOWS XP.EXE
X10 AFSTANDSBEDIENING.EXE
REALTEK GELUIDSKAART.EXE
WDM.EXE
GG.EXE
DJ.EXE
$RECYCLE.BIN.EXE
E2B38.COM
12953247._
14533328_12312312.EXE

Filesizes

The following file size has been seen:

167,936 bytes
933,888 bytes
397,312 bytes
360,448 bytes
81,920 bytes
84,992 bytes
89,366 bytes
229,376 bytes
315,392 bytes

File Type

The filename WINDOWS.EXE refers to many versions of an executable program.

File Activity

One or more files with the name WINDOWS.EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat
Copies filec:\windows\kagwang.exe to c:\Personal Files.ex
Copies filec:\windows\kagwang.exe to c:\Archived Records.ex
Copies filec:\windows\kagwang.exe to c:\Config.Ms
Copies filec:\windows\kagwang.exe to c:\Documents and Settings.ex
Copies filec:\windows\kagwang.exe to c:\malwarefiles.ex
Copies filec:\windows\kagwang.exe to c:\mbr.ex
Copies filec:\windows\kagwang.exe to c:\Program Files.ex
Copies filec:\windows\kagwang.exe to c:\RECYCLER.ex
Copies filec:\windows\kagwang.exe to c:\System Volume Information.ex
Copies filec:\windows\kagwang.exe to c:\WINDOWS.ex
Copies filec:\windows\kagwang.exe to d:\Personal Files.ex
Copies filec:\windows\kagwang.exe to d:\Archived Records.ex
Copies filec:\windows\kagwang.exe to d:\System Volume Information.ex
Copies filec:\windows\kagwang.exe to a:\Personal Files.ex
Copies filec:\windows\kagwang.exe to a:\Archived Records.ex
Copies filec:\windows\kagwang.exe to .ex
Copies filec:\windows\asifucan.exe to c:\windows\ztescd32.exe
Copies filec:\windows\asifucan.exe to c:\windows\system32\_svchost32.exe
Copies filec:\windows\asifucan.exe to c:\documents and settings\user\start menu\programs\startup\lsass.exe
Copies filec:\windows\asifucan.exe to c:\documents and settings\user\local settings\application data\svchost32.exe
Copies filec:\windows\ztescd32.exe to c:\windows\details.bat
Copies filec:\windows\Msinet32.EXE to c:\windows\Msinet32.exe
Copies filec:\windows\system32\_svchost32.exe to c:\windows\news.bat
Copies filec:\documents and settings\user\start menu\programs\startup\lsass.exe to c:\windows\info.exe
Copies filec:\documents and settings\user\local settings\application data\svchost32.exe to c:\windows\notice.mp3
Creates c:\autorun.in
Creates d:\autorun.in
Deletes c:\autorun.inf
Deletes d:\autorun.inf

Network Activity

One or more files with the name WINDOWS.EXE performs the following network events:

DNS Lookup1.1.4.1 DC4-GHMWQ129

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

WINDOWS.EXE

Free PC Cleanup from Webroot