Associated Malware Groups
The unsafe files using this name are associated with the malware group:
File Behavior
RUNDLL32.EXE has been seen to perform the following behavior:
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- Injects code into other processes
- Creates new folders on the system
- This process creates other processes on disk
- Registers a Dynamic Link Library File
- This Process Deletes Other Processes From Disk
- Executes a Dynamic Link Library File as a process
- Executes Processes stored in Temporary Folders
- Changes to the file command map within the registry
- Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Adds a Registry Key (RUNONCE) to auto start Programs on system start up
- Changes the Internet Explorer Home Page Settings
- Changes the Internet Explorer Search Page
- Uses a Registered MAPI
- Adds products to the system registry
- Adds a Winlogon Notification DLL to automatically load on system start up
- Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
- Can communicate with other computer systems using HTTP protocols
- Deletes Links in the Start Menu
- Adds a new task to the Scheduled Task list
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Terminates Processes
- Modifies the Active Desktop Background
- Violates Prevx File Security Settings
- Enables an In Process Object/Server - Common with DLL Injections
- Creates a new Background Service on the machine
- Changes DNS server settings which could enable phishing/pharming attacks using web site redirection
- Modifies the Systems Winsock LSP which could allow control over all communications of the system
- Opens browser pop ups
- This Process is a file infector which modifies program files to include a copy of the infection
- Creates new folders in the file system
- Includes file creation code which could be used to test for interception by security products
- Copies files
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- Creation and Registration of a Browser Helper Object in Internet Explorer
- Creates system tray popups, messages, errors and security warnings
- Downloads hidden code from covert web sites
- Injects code into other processes
- Checks for the use of debuggers
- Uses DNS to retrieve the IP address for web sites
- Uses backdoor interfaces to certain security applications
- Uses hidden browser windows to connect to web sites without telling you
- Runs Javascript code
- The Process is packed and/or encrypted using a software packing process
- Uses Instant Messaging to communicate without the user's knowledge
- Uses embeded Instant Message Channel Settings
- This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
- The Process is polymorphic and can change its structure
- Found on infected systems and resists interrogation by security products
RUNDLL32.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Copied to multiple locations on the system
- Executed by Internet Explorer
- Deleted as a process from disk
- Terminated as a Process
- Created as a new Background Service on the machine
- Downloaded from covert web sites without the user knowing
- Registered as a Dynamic Link Library File
- This process has been seen to have code injected by malicious programs
- Created by processes which appear to be checking for interception by security products
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename RUNDLL32.EXE was first seen on May 3 2007 in the following geographical regions of the Prevx community:
- on May 3 2007
- The United States on May 3 2007
- Turkey on May 16 2007
- The United Kingdom on Nov 16 2009
- Sweden on Nov 16 2009
- Lithuania on Mar 16 2010
Filesizes
The following file size has been seen:
- 147,456 bytes
- 33,280 bytes
- 104,448 bytes
- 417,792 bytes
- 58,368 bytes
File Type
The filename RUNDLL32.EXE refers to many versions of an executable program.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.