• The UNITED KINGDOM on Feb 11 2008
• INDIA on Feb 11 2008
• POLAND on May 12 2008
• SPAIN on Apr 16 2008
• SINGAPORE on Sep 25 2007
• RUSSIAN FEDERATION on Sep 25 2007
• The UNITED STATES on Sep 3 2007
• PAKISTAN on Sep 3 2007

The most common file size is 88,035 bytes. But the following file sizes have also been seen:

• 119,808 bytes
• 98,304 bytes
• 155,136 bytes
• 122,880 bytes
• 68,812 bytes
• 66,751 bytes

The filename is associated with the malware group KAVKOP:Trojan-A.Some files using the name NTDE1ECT.COM are also associated with the malware groups:

• Obfustat.VJZ
• Generic8.WML
• Trojan.Downloader

These files may have the following Vendor, Product, Version Information in the file header Microsoft Corporation; Command Line Help Utility; 5.1.2600.0

• The following Vendor, Product, Version Information has also been reported:

NTDE1ECT.COM has been seen to perform the following behavior(s):

• The Process is packed and/or encrypted using a software packing process
• This Process Creates Other Processes On Disk
• This Process Deletes Other Processes From Disk
• Registers a Dynamic Link Library File
• Executes a Process
• Injects code into other processes
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Uses DNS to retrieve the IP address for web sites
• Visits web sites without the user knowing
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Writes to another Process's Virtual Memory (Process Hijacking)
• Copies files
• This Process is a file infector which modifies program files to include a host a copy of the infection
• Modifies Windows Security Policies to restrict/expand User Privlidges on the machine
• Changes Windows Firewall Control Settings to allow itself to communicate with other computers
• Adds Products to the system registry
• Creates a new Background Service on the machine
• Disables the use of Safe Mode
• The Process is polymorphic and can change its structure
• Loads and Executes a System Driver File
• Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
• The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
• Terminates Processes
• Modifies Windows Initialization And System Settings Used On Start up

NTDE1ECT.COM has been the subject of the following behavior(s):

• Added as a Registry auto start to load Program on Boot up
• Executed as a Process
• Copied to multiple locations on the system
• Deleted as a process from disk
• Created as a process on disk
• Has code inserted into its Virtual Memory space by other programs
• Terminated as a Process
• Executed by Internet Explorer
• Executed from Temporary Folders

NTDE1ECT.COM can also use the following file names:

• AVPO.EXE
• DPTREI~1.EXE
• DPTRMOQWSI-987.PMS.COM
• ABF9C3994B1B872F2903442BC577792E.EXE
• DPTRMO~1.COM
• DPTRNAYLXW-110.PMS.COM
• 72912261.SVD
• DPTRESWYUB-667.PMS.EXE
• DPTRES~1.EXE
• 81005572.SVD
• MGG.EXE
• 35954055.DAT
• HELP.EXE
• HELP[1].EXE
• HELP.EXE.TMP
• 37902172.COM
• 05294779.EXE
• 25785794.COM
• MGG[1].EXE
• 25-09-07/AVPO.EXE
• 33649559.COM
• 23212195.EXE
• 12323324.EXE
• 13395477.COM
• 07316302.EXE
• 14590465.EXE
• 79912697.DAT
• 26269357.COM
• 26446671.EXE
• 20897801.EXE
• 11591438.COM
• 79567214.DAT
• 02019657.COM
• A0016209.COM
• A0016249.COM
• A0016272.COM
• A0016295.COM
• A0016319.COM
• 21475593.EXE
• 22934478.COM
• 00086882.COM
• 00013580.COM
• 00088651.COM
• 00015084.COM
• 00004609.COM
• 00000185.COM
• 33830891.EXE
• 76767142.EXE
• 26096283.EXE
• DPTRMR~1.EXE