README.EXE, Prevx

Associated Malware Groups

The unsafe files using this name are associated with the malware groups:

System Back Door
Worm
Malware Dropper
Malicious Software

File Behavior

README.EXE has been seen to perform the following behavior:

Adds products to the system registry
Executes Processes stored in Temporary Folders
This process creates other processes on disk
Writes to another Process's Virtual Memory (Process Hijacking)
The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
Executes a Process
This Process Deletes Other Processes From Disk
Registers a Dynamic Link Library File
Creates new folders on the system
The Process is packed and/or encrypted using a software packing process
Can communicate with other computer systems using HTTP protocols
This Process is a file infector which modifies program files to include a copy of the infection
Drops known malicious software during execution
Reads email address and phone book details
Includes file creation code which could be used to test for interception by security products
Visits web sites on your PC without you knowing
Found on infected systems and resists interrogation by security products
Looks at the contents of the autoexec.bat file
Uses DNS to retrieve the IP address for web sites

README.EXE has been the subject of the following behavior:

Created as a process on disk
Executed as a Process
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
Registered as a Dynamic Link Library File
Deleted as a process from disk
Added as a Registry auto start to load Program on Boot up
Copied to multiple locations on the system

Country Of Origin

The filename README.EXE was first seen on Jul 3 2007 in the following geographical regions of the Webroot community:

Canada on Jul 3 2007
Spain on Jul 31 2007
Indonesia on Jul 31 2007
Portugal on Jul 18 2010
The United Kingdom on Jul 18 2010
Russian Federation on Dec 11 2010
Turkey on May 23 2012

File Name Aliases

README.EXE can also use the following file names:

README(1).EXE
README (1).EXE
PREVX_CSI_3_0_LICENSE_ACTIVATION_KEY.EXE
PREVX_CSI_3.0_LICENSE_KEY.EXE
PREVX_CSI_3_LICENSE_KEY.EXE
PREVX_3.0_KEY.EXE
PREVX_3.0_ACTIVATION_KEY[n].EXE
PREVX_2_0.EXE
QUAD_REGISTRY_CLEANER_ACTIVATION_FREE_DOWNLOAD_KEY.EXE
PREVX_CSI_3.0_ACTIVATION_KEY.EXE
PREVX_CSI_3.0_KEY.EXE
PREVX_2_0[n].EXE
PREVX_CSI_3_KEY.EXE
PREVX_3.0_ACTIVATION_KEY.EXE
PREVX_3.0_ACTIVATION_KEY_1.EXE
PATCH.EXE
PREVX_CSI_3.0_ACTIVATE_LICENSE_KEY.EXE
PREVX_CSI_3.0.0.128_ACTIVATION_CODE_KEY.EXE
PREVX_2_0_SERIAL.EXE
PREVX3.0_KEY.EXE
PREVX_CSI_LICENSE_KEY.EXE
PATTERNMASTER_KEY[n].EXE
PREVXCSIFREE_KEY.EXE
PREVX_CSI_3.0_ACTIVATION_KEY[n].EXE
POWER_DVD_9_KEY.EXE
PREVX_EDGE_3.0_14_PREVX_EDGE_3.0_KEY.EXE
PREVX_3.0__KEY.EXE
APDFPR_5.03_KEY.EXE
PREVX_CSI_LICENSE_KEY[n].EXE
PRACTICA-1.DOC.EXE
MANUAL.DOC.EXE
KISS_ME.DOC.EXE
DEDEKU.EXE
FILE SERTAAN.EXE
SERVICES.EXE
AAA.EXE
BBB.EXE
KASUS PBB.EXE
KUP.EXE
LAIN2.EXE
LAMARAN.EXE
MAS.EXE
ME AND MY FRIEND.EXE
PCMAV15.EXE
PDRD.EXE
PRESENTASI.EXE
NORMAL.DOT
W3BRAD-A.VXE
08752263.A
85325854.A
22524.DOC.EXE
4890.DOC.EXE

Filesizes

The following file size has been seen:

114,690 bytes
386,048 bytes
139,776 bytes
913,612 bytes
8,704 bytes
67,584 bytes
266,070 bytes
53,248 bytes

File Type

The filename README.EXE refers to many versions of an executable program.

File Activity

One or more files with the name README.EXE creates, deletes, copies or moves the following files and folders:

Copies filec:\windows\system32\export\services.exe to c:\windows\system32\export\services.exe
Copies filec:\windows\system32\export\services.exe to c:\windows\aaa.exe
Copies filec:\windows\system32\export\services.exe to c:\windows\bbb.exe
Copies filec:\windows\system32\export\services.exe to c:\windows\system32\normal.dot

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

README.EXE

Free PC Cleanup from Webroot