Prevx Research Division
NOTEPAD.EXE
Malicious SoftwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove NOTEPAD.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malicious Software
- Malware Downloader
- Worm
- Malware Dropper
File Behavior
NOTEPAD.EXE has been seen to perform the following behavior:
- Executes a Process
- Downloads program file(s) and other content from the web
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- This process creates other processes on disk
- Registers a Dynamic Link Library File
- This Process Deletes Other Processes From Disk
- Copies files
- The Process is packed and/or encrypted using a software packing process
- Disables Access to the Windows Registry Editior
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Disables the Built in Windows System Restore Feature
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Writes to another Process's Virtual Memory (Process Hijacking)
- Creates or uses a background service to access the Internet using HTTP protocols
- Found on infected systems and resists interrogation by security products
- Executes Processes stored in Temporary Folders
- Can communicate with other computer systems using HTTP protocols
- Adds a Link in the Start Menu
- Automatically changes your firewall settings to allow itself or other programs to communicate over the internet
- Uses hidden browser windows to connect to web sites without telling you
NOTEPAD.EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Executed from Temporary Folders
- Deleted as a process from disk
- Added as a Registry Key (RUNONCE) to auto start Programs on system start up
- Registered as a Dynamic Link Library File
- Added as a Registry Key (DXCOM) to auto start Programs on system start up
- Copied to multiple locations on the system
- Changes to the file command map within the registry
- Created by processes which appear to be checking for interception by security products
Country Of Origin
The filename NOTEPAD.EXE was first seen on May 26 2007 in the following geographical regions of the Webroot community:
- Netherlands on May 26 2007
- Saudi Arabia on Feb 22 2008
- on Feb 22 2008
- Spain on Oct 24 2008
- Thailand on Oct 24 2008
- Sweden on Oct 4 2009
- Turkey on Dec 15 2009
- The United Kingdom on Dec 15 2009
- The United States on Feb 3 2010
- India on Feb 3 2010
File Name Aliases
NOTEPAD.EXE can also use the following file names:
- CTFMON.EXE
- AVP.EXE
- CMD.EXE
- CSRSS.EXE
- LSASS.EXE
- MDM.EXE
- SERVICES.EXE
- SMSS.EXE
- SPOOLSV.EXE
- SYSTEM.EXE
- TASKMGR.EXE
- WIN32.EXE
- WIN.EXE
- DRWEB.EXE
- WINLOGON.EXE
- SVCHOST.EXE
- MDM .EXE
- USER.EXE
- DEBUG.EXE
- WIN16.EXE
- NVSVC32.EXE
- LOGIN.EXE
- WINAMP.EXE
- SETUP.EXE
- INSTALL .EXE
- WINLOGON .EXE
- LSASS .EXE
- INSTALL.EXE
- DRWEB .EXE
- NVSVC32 .EXE
- SERVICES .EXE
- SPOOLSV .EXE
- WIN .EXE
- CSRSS (1).EXE
- INSTALL (1).EXE
- SETUP (1).EXE
- CSRSS .EXE
- CMD .EXE
- SMSS .EXE
- NOTEPAD.EXE.TMP
- WINLGON.EXE
- NOTPAD.EXE
- PADEDIT.EXE
- NEW_SHORTCUT_S1296_27FE45838B0B45A4BD495E3A9D6F34DB.EXE
- AUTORUN.INF.EXE
- SOFT.EXE
- WORK05.EXE
- AUDIO.EXE
- DOWNDATA.EXE
- EBOOK.EXE
- IMAGES.EXE
- MAP.EXE
- (21-03-52).EXE
- THE HOUSE BUNNY.EXE
- BEVERLY HILLS CHIHUAHUA.EXE
- .EXE
- .EXE
- .EXE
- .EXE
- .EXE
- .EXE
- .EXE
- .EXE
- DEC.EXE
- ~.EXE
- MY MUSIC.EXE
- MUSIC.EXE
- .EXE
- .EXE
- .EXE
- NEW YEAR.EXE
- PIC.EXE
- .EXE
- .EXE
- PHO TO M3.EXE
- PRINT.EXE
- P H O T O W3.EXE
- WORD FILE.EXE
- RECYCLERS.EXE
- .EXE
- FOUND.000.EXE
- FOUND.002.EXE
- CARTOON.EXE
- FOUND.001.EXE
- INFORMATION.EXE
- DATA.EXE
- I-M-P-O-R-T-A-N-T.EXE
- P-R-O-J-E-C-T.EXE
- GAO.EXE
- PHOTO.EXE
- ADJUSTED.EXE
- NT-B6040F1C.EXE
- NEW FOLDER.EXE
- .EXE
- .EXE
- NT-690C2B37.EXE
- KHUN.EXE
- HITS.EXE
- KENNY G.EXE
- .EXE
- CHABA.EXE
- .EXE
- SONG.EXE
- .EXE
- COWBOY 8-11-51.EXE
- งานกลุ่ม.EXE
- ANTI_HANDY_DRIVE_VIRUS.EXE
- สแกนใหม่.EXE
- ESET ANTIVIRUS 3.EXE
- NERO 8 ULTRA EDITION 8.EXE
- ADOBE PHOTOSHOP CS2 V9.EXE
- AHDV_VIRUS.EXE
- A1BEBF.EXE
- 2552.EXE
- 27-28 ..51.EXE
- BEC955.EXE
- D40B9E.EXE
- B4DFD8.EXE
- DE4BD5.EXE
- NT-9AD01AAA.EXE
- DCIM.EXE
- ปกต่าง ๆ.EXE
- .EXE
- RECYCLER.EXE
- .EXE
- .EXE
- SBFORM.EXE
- CHALERMPOL.EXE
- D94D01.EXE
- CQ40.EXE
- B6346A.EXE
- F77940.EXE
- D1749C.EXE
- MP3.EXE
- A33515.EXE
- A4C330.EXE
- 7A219C.EXE
- 943172.EXE
- 00059551.EXE
Filesizes
The following file size has been seen:
- 69,632 bytes
- 32,260 bytes
- 225,647 bytes
- 56,309 bytes
- 53,248 bytes
- 1,515,564 bytes
- 179,712 bytes
File Type
The filename NOTEPAD.EXE refers to many versions of an executable program.
File Activity
One or more files with the name NOTEPAD.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\system32\C472AE
- create folder C:\WINDOWS\system32\EBD64B
- create folder C:\WINDOWS\system32\77FD96
- Creates c:\docume~1\user\locals~1\temp\e_4\krnln.fnr
- Creates c:\docume~1\user\locals~1\temp\e_4\shell.fne
- Creates c:\docume~1\user\locals~1\temp\e_4\eAPI.fne
- Creates c:\docume~1\user\locals~1\temp\e_4\internet.fne
- Creates c:\docume~1\user\locals~1\temp\e_4\spec.fne
- Creates c:\docume~1\user\locals~1\temp\e_4\RegEx.fnr
- Creates c:\docume~1\user\locals~1\temp\e_4\dp1.fne
- Creates c:\docume~1\user\locals~1\temp\e_4\com.run
- Creates c:\windows\system32\c472ae\76CCDA.EXE
- Creates c:\windows\system32\77fd96\2aeb.inf
- Creates c:\windows\system32\77fd96\4b27.inf
- Creates c:\windows\system32\77fd96\4b27.EDT
- Deletes c:\documents and settings\user\cookies\index.dat
- Deletes c:\documents and settings\user\local settings\temporary internet files\content.ie5\2tq7qjuj\desktop.ini
- Deletes c:\documents and settings\user\local settings\temporary internet files\content.ie5\8n0lab2n\desktop.ini
- Deletes c:\documents and settings\user\local settings\temporary internet files\content.ie5\desktop.ini
- Deletes c:\documents and settings\user\local settings\temporary internet files\content.ie5\index.dat
- Deletes c:\documents and settings\user\local settings\temporary internet files\content.ie5\orsry9kf\desktop.ini
- Deletes c:\documents and settings\user\local settings\temporary internet files\desktop.ini
- Deletes c:\documents and settings\user\local settings\history\history.ie5\index.dat
- Deletes c:\documents and settings\user\local settings\history\history.ie5\mshist012009033020090331\index.dat
- Copies filec:\docume~1\user\locals~1\temp\e_4\com.run to c:\windows\system32\ebd64b\com.run
- Copies filec:\docume~1\user\locals~1\temp\e_4\dp1.fne to c:\windows\system32\ebd64b\dp1.fne
- Copies filec:\docume~1\user\locals~1\temp\e_4\eAPI.fne to c:\windows\system32\ebd64b\eAPI.fne
- Copies filec:\docume~1\user\locals~1\temp\e_4\internet.fne to c:\windows\system32\ebd64b\internet.fne
- Copies filec:\docume~1\user\locals~1\temp\e_4\krnln.fnr to c:\windows\system32\ebd64b\krnln.fnr
- Copies filec:\docume~1\user\locals~1\temp\e_4\RegEx.fnr to c:\windows\system32\ebd64b\RegEx.fnr
- Copies filec:\docume~1\user\locals~1\temp\e_4\shell.fne to c:\windows\system32\ebd64b\shell.fne
- Copies filec:\docume~1\user\locals~1\temp\e_4\spec.fne to c:\windows\system32\ebd64b\spec.fne
- Creates c:\documents and settings\user\start menu\programs\startup\.lnk
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.