Prevx Research Division
GPASS-3.4.4.EXE
WormFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove GPASS-3.4.4.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware group:
- Worm
File Behavior
GPASS-3.4.4.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- The Process is polymorphic and can change its structure
- Executes a Process
- Registers a Dynamic Link Library File
- Creates system tray popups, messages, errors and security warnings
- Registers or amends SMTP Mail Servers on the public internet
- Can communicate with other computer systems using HTTP protocols
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
GPASS-3.4.4.EXE has been the subject of the following behavior:
- Created as a process on disk
- Deleted as a process from disk
- Executed as a Process
- Registered as a Dynamic Link Library File
Country Of Origin
The filename GPASS-3.4.4.EXE was first seen on Apr 21 2008 in the following geographical region of the Webroot community:
- Iran, Islamic Republic of on Apr 21 2008
Filesizes
The following file size has been seen:
- 1,407,528 bytes
- 1,402,880 bytes
- 1,443,880 bytes
File Type
The filename GPASS-3.4.4.EXE refers to many versions of an executable program.
File Activity
One or more files with the name GPASS-3.4.4.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\docume~1\user\locals~1\temp\xxx999.ht
- Deletes c:\docume~1\user\locals~1\temp\xxx999.ht
- Creates c:\docume~1\user\locals~1\temp\xxx999.ra
- Deletes c:\docume~1\user\locals~1\temp\xxx999.ra
- Creates c:\docume~1\user\locals~1\temp\xxx999.mo
- Deletes c:\docume~1\user\locals~1\temp\xxx999.mo
- Creates c:\docume~1\user\locals~1\temp\xxx999.sw
- Deletes c:\docume~1\user\locals~1\temp\xxx999.sw
- Creates c:\docume~1\user\locals~1\temp\xxx999.ns
- Deletes c:\docume~1\user\locals~1\temp\xxx999.ns
- Creates c:\docume~1\user\locals~1\temp\xxx999.jc
- Deletes c:\docume~1\user\locals~1\temp\xxx999.jc
- Opens/modifes c:\autoexec.bat
Network Activity
One or more files with the name GPASS-3.4.4.EXE performs the following network events:
- Pings: 207.46.232.182
- Pings: 125.225.23.202
- DNS name server29.186.142.200
- DNS name server09.236.200.12
- DNS name server41.106.32.6
- DNS name server34.224.1.29
- DNS name server52.15.47.129
- DNS name server40.233.1.4
- DNS name server46.189.192.130
- DNS name server31.96.1.6
- DNS name server52.36.64.244
- DNS name server44.38.1.2
Website Activity
One or more files with the name GPASS-3.4.4.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:129.186.142.200:53 Port:21
- TCP:209.236.200.12:53 Port:21
- TCP:141.106.32.6:53 Port:21
- TCP:134.224.1.29:53 Port:22
- TCP:152.15.47.129:53 Port:22
- TCP:140.233.1.4:53 Port:22
- TCP:146.189.192.130:53 Port:22
- TCP:131.96.1.6:53 Port:22
- TCP:152.36.64.244:53 Port:22
- TCP:127.0.0.1:1114 Port:23
- TCP:127.0.0.1:1115 Port:23
- TCP:127.0.0.1:1116 Port:22
- TCP:144.38.1.2:53 Port:21
- TCP:152.36.64.244:53 Port:21
- Port 80 IP:72.14.207.99
- TCP:122.126.75.22:8080 Port:22
- TCP:61.231.249.79:8080 Port:22
- TCP:125.225.23.202:8080 Port:22
- TCP:61.231.105.210:8080 Port:23
- TCP:61.216.15.81:8080 Port:23
- TCP:71.250.43.92:8080 Port:23
- TCP:220.138.97.129:8080 Port:23
- TCP:61.216.11.251:8080 Port:23
- TCP:125.225.23.202:8080 Port:23
- TCP:127.0.0.1:8000 Port:22
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.