RUNDLL32.EXE

File Behavior

RUNDLL32.EXE has been seen to perform the following behavior:

• Writes to another Process's Virtual Memory (Process Hijacking)
• Executes a Process
• Injects code into other processes
• Creates new folders on the system
• This process creates other processes on disk
• Registers a Dynamic Link Library File
• This Process Deletes Other Processes From Disk
• Executes a Dynamic Link Library File as a process
• Executes Processes stored in Temporary Folders
• Changes to the file command map within the registry
• Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
• Makes outbound connections to other computers using NETBIOSOUT protocols
• Adds a Registry Key (RUNONCE) to auto start Programs on system start up
• Changes the Internet Explorer Home Page Settings
• Changes the Internet Explorer Search Page
• Uses a Registered MAPI
• Adds products to the system registry
• Adds a Winlogon Notification DLL to automatically load on system start up
• Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
• Can communicate with other computer systems using HTTP protocols
• Deletes Links in the Start Menu
• Adds a new task to the Scheduled Task list
• The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Terminates Processes
• Modifies the Active Desktop Background
• Violates Prevx File Security Settings
• Enables an In Process Object/Server - Common with DLL Injections
• Creates a new Background Service on the machine
• Changes DNS server settings which could enable phishing/pharming attacks using web site redirection
• Modifies the Systems Winsock LSP which could allow control over all communications of the system
• Opens browser pop ups
• This Process is a file infector which modifies program files to include a copy of the infection
• Creates new folders in the file system
• Includes file creation code which could be used to test for interception by security products
• Copies files
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Visits web sites on your PC without you knowing
• Creation and Registration of a Browser Helper Object in Internet Explorer
• Creates system tray popups, messages, errors and security warnings
• Downloads hidden code from covert web sites
• Injects code into other processes
• Checks for the use of debuggers
• Uses DNS to retrieve the IP address for web sites
• Uses backdoor interfaces to certain security applications
• Uses hidden browser windows to connect to web sites without telling you
• Runs Javascript code
• The Process is packed and/or encrypted using a software packing process
• Uses Instant Messaging to communicate without the user's knowledge
• Uses embeded Instant Message Channel Settings
• This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
• The Process is polymorphic and can change its structure
• Found on infected systems and resists interrogation by security products

RUNDLL32.EXE has been the subject of the following behavior:

• Created as a process on disk
• Executed as a Process
• Has code inserted into its Virtual Memory space by other programs
• Copied to multiple locations on the system
• Executed by Internet Explorer
• Deleted as a process from disk
• Terminated as a Process
• Created as a new Background Service on the machine
• Downloaded from covert web sites without the user knowing
• Registered as a Dynamic Link Library File
• This process has been seen to have code injected by malicious programs
• Created by processes which appear to be checking for interception by security products
• Added as a Registry auto start to load Program on Boot up