DOWN(0).EXE - Dangerous

What you should do about DOWN(0).EXE:

Check Your PC Now
Your PC is infected. The file called DOWN(0).EXE is considered unsafe and there may be other infections on your PC.


You should urgently check your PC and remove any malicious software including DOWN(0).EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't take the risk, check your PC now by clicking the green button.

Download Prevx CSI Now

Who Uses Prevx CSI?

Prevx has been detecting the threats that others miss since 2004.

More than 2,061,563 people have scanned with Prevx CSI and between them have checked 29.7 billion files. 66% of the PCs scanned had malware present.

What we know about DOWN(0).EXE:

The filename DOWN(0).EXE was first seen on Jun 24 2007 in The UNITED STATES. It has also been seen in the following geographical regions of the Prevx community:

  • The UNITED KINGDOM on May 8 2008
  • SPAIN on Jun 24 2007
  • AUSTRALIA on Aug 9 2007
  • CANADA on Nov 17 2007
The filename DOWN(0).EXE refers to many versions of an executable program.

The most common file size is 313,344 bytes. But the following file sizes have also been seen:

  • 36,864 bytes
  • 10,028 bytes
  • 334,848 bytes
  • 133,120 bytes
  • 15,733 bytes

The filename is associated with the malware group Trojan.DownZero.Some files using the name DOWN(0).EXE are also associated with the malware groups:
  • Win32/Gaelicum.A
  • TROJAN.MKTROJAN.A
  • BACKDOOR.PIGEON.199
 These files have no vendor, product or version information specified in the file header.

DOWN(0).EXE has been seen to perform the following behavior(s):

  • The Process is packed and/or encrypted using a software packing process
  • Creates a new Background Service on the machine
  • Executes a Process
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • This Process Deletes Other Processes From Disk
  • Terminates Processes
  • This Process Creates Other Processes On Disk
  • Can communicate with other computer systems using HTTP protocols
  • This Process is a file infector which modifies program files to include a host a copy of the infection
  • Injects code into other processes
  • Uses DNS to retrieve the IP address for web sites
  • Adds a Registry Key (COMD) auto start to load Program on Boot up
  • Modifies the Logon Screen Saver Settings
  • This Process uses Anti Dissasembly Tricks
  • Registers a Dynamic Link Library File
  • Disables the built in Windows File Protection System

DOWN(0).EXE has been the subject of the following behavior(s):

  • Created as a process on disk
  • Executed as a Process
  • Has code inserted into its Virtual Memory space by other programs
  • Terminated as a Process
  • Copied to multiple locations on the system
  • Created as a new Background Service on the machine
  • Deleted as a process from disk
  • Executed from Temporary Folders
  • Added as a Registry Key (COMD) to auto start to load Program on Boot up
  • Executed by Internet Explorer
  • Victim of a Heap Based Buffer Overflow
  • Added as a Registry auto start to load Program on Boot up

DOWN(0).EXE can also use the following file names:

  • 06422033.SVD
  • DPTRNEYLXS-423.PMS.EXE
  • 0203C1731730B3BE8503483D4D93A787.EXE
  • ESXP.EXE
  • 50989417.SVD
  • MYEXE.EXE
  • MS200712[1].EXE
  • 74971329.DAT
  • MPLAY.COM
  • ALXRES061230.EXE
  • SCRSYS061230.SCR
  • 28313263.EXE
  • SVCHOST.EXE
  • 24582021.SVD
  • 90945419.EXE
  • PK[1].EXE
  • SASA.EXE
  • 77294748.EXE
  • 01467333.EXE
  • DOWN(1).EXE
  • 25467372.EXE
  • 03910446.DAT
  • 43882425.EXE