File Investigation Report
WABMIG.EXE
WormPC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove WABMIG.EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Worm
- Malicious Software
File Behavior
WABMIG.EXE has been seen to perform the following behavior:
- This Process is a file infector which modifies program files to include a copy of the infection
- Registers a Dynamic Link Library File
- Executes a Process
- This process creates other processes on disk
- Looks at the contents of the autoexec.bat file
- Opens browser pop ups
- Uses DNS to retrieve the IP address for web sites
- The Process is packed and/or encrypted using a software packing process
- Reads email address and phone book details
- The Process is polymorphic and can change its structure
- This Process Deletes Other Processes From Disk
- Creates system tray popups, messages, errors and security warnings
WABMIG.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Copied to multiple locations on the system
- This Process may have been infected by a file infecting virus
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
Country Of Origin
The filename WABMIG.EXE was first seen on Aug 30 2007 in the following geographical regions of the Prevx community:
- SPAIN on Aug 30 2007
- The UNITED KINGDOM on Aug 30 2007
- The UNITED STATES on Mar 16 2008
- VIET NAM on Nov 8 2009
File Name Aliases
WABMIG.EXE can also use the following file names:
- !I!WABMIG.EXE
- 60992334.EXE
- 08781797.EXE
- 95899845.SVD
Filesizes
The following file size has been seen:
- 1,318,912 bytes
- 50,176 bytes
- 91,136 bytes
- 144,384 bytes
- 27,648 bytes
- 87,552 bytes
File Type
The filename WABMIG.EXE refers to many versions of an executable program.
File Activity
One or more files with the name WABMIG.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\magnify.ivr
- Copies filec:\windows\system32\magnify.ivr to c:\windows\system32\magnify.exe
- Deletes c:\windows\system32\magnify.ivr
- Creates c:\windows\system32\narrator.ivr
- Copies filec:\windows\system32\narrator.ivr to c:\windows\system32\narrator.exe
- Deletes c:\windows\system32\narrator.ivr
- Creates c:\windows\system32\osk.ivr
- Copies filec:\windows\system32\osk.ivr to c:\windows\system32\osk.exe
- Deletes c:\windows\system32\osk.ivr
- Creates c:\windows\system32\utilman.ivr
- Copies filec:\windows\system32\utilman.ivr to c:\windows\system32\utilman.exe
- Deletes c:\windows\system32\utilman.ivr
- Creates c:\program files\outlook express\wab.ivr
- Copies filec:\program files\outlook express\wab.ivr to c:\program files\outlook express\wab.exe
- Deletes c:\program files\outlook express\wab.ivr
- Creates c:\program files\windows media player\wmplayer.ivr
- Copies filec:\program files\windows media player\wmplayer.ivr to c:\program files\windows media player\wmplayer.exe
- Deletes c:\program files\windows media player\wmplayer.ivr
- Creates c:\windows\system32\notepad.ivr
- Copies filec:\windows\system32\notepad.ivr to c:\windows\system32\notepad.exe
- Deletes c:\windows\system32\notepad.ivr
- Creates c:\windows\system32\mobsync.ivr
- Copies filec:\windows\system32\mobsync.ivr to c:\windows\system32\mobsync.exe
- Deletes c:\windows\system32\mobsync.ivr
- Creates c:\windows\system32\tourstart.ivr
- Copies filec:\windows\system32\tourstart.ivr to c:\windows\system32\tourstart.exe
- Deletes c:\windows\system32\tourstart.ivr
- Creates c:\program files\outlook express\msimn.ivr
- Copies filec:\program files\outlook express\msimn.ivr to c:\program files\outlook express\msimn.exe
- Deletes c:\program files\outlook express\msimn.ivr
- Creates c:\windows\system32\rcimlby.ivr
- Copies filec:\windows\system32\rcimlby.ivr to c:\windows\system32\rcimlby.exe
- Deletes c:\windows\system32\rcimlby.ivr
- Creates c:\windows\system32\accwiz.ivr
- Copies filec:\windows\system32\accwiz.ivr to c:\windows\system32\accwiz.exe
- Deletes c:\windows\system32\accwiz.ivr
- Creates c:\windows\system32\calc.ivr
- Copies filec:\windows\system32\calc.ivr to c:\windows\system32\calc.exe
- Deletes c:\windows\system32\calc.ivr
- Creates c:\program files\windows nt\hypertrm.ivr
- Copies filec:\program files\windows nt\hypertrm.ivr to c:\program files\windows nt\hypertrm.exe
- Deletes c:\program files\windows nt\hypertrm.ivr
- Creates c:\windows\system32\rundll32.ivr
- Copies filec:\windows\system32\rundll32.ivr to c:\windows\system32\rundll32.exe
- Deletes c:\windows\system32\rundll32.ivr
- Creates c:\windows\system32\mstsc.ivr
- Copies filec:\windows\system32\mstsc.ivr to c:\windows\system32\mstsc.exe
- Deletes c:\windows\system32\mstsc.ivr
- Creates c:\windows\system32\sndrec32.ivr
- Copies filec:\windows\system32\sndrec32.ivr to c:\windows\system32\sndrec32.exe
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.