File Investigation Report
ZZ[n].EXEMalicious Software
Your PC is infected. The file called ZZ[n].EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including ZZ[n].EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
- Malicious Software
- Cloaked Malware
- Worm
File Behavior
ZZ[n].EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- This Process Creates Other Processes On Disk
- This Process Deletes Other Processes From Disk
- Copies files
- Registers a Dynamic Link Library File
- Creates a new Background Service on the machine
- Enables an In Process Object/Server - Common with DLL Injections
ZZ[n].EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Executed from Temporary Folders
- Has code inserted into its Virtual Memory space by other programs
- This program is often downloaded from the web
Country Of Origin
The filename ZZ[n].EXE was first seen on Aug 20 2008 in the following geographical regions of the Prevx community:
- The EUROPEAN UNION on Aug 20 2008
- The UNITED KINGDOM on Sep 27 2008
- BRAZIL on Sep 28 2008
- SPAIN on Sep 28 2008
File Name Aliases
ZZ[n].EXE can also use the following file names:
- ZZ[1].EXE
- 92072514.DAT
- ZZ.EXE
- NOD166.TMP
- TRU7.TMP
- NODB.TMP
- NOD8.TMP
- 75025061.DAT
- 16053868.TXT
- 18045703.DAT
- 84247166.DAT
Filesizes
The following file size has been seen:
- 126,464 bytes
- 121,856 bytes
- 125,952 bytes
- 125,440 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename ZZ[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name ZZ[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\1.exe
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\kavo.exe
- Copies filec:\windows\1.exe to c:\windows\system32\kavo.exe
- Deletes c:\windows\system32\kavo0.dll
- Creates c:\windows\system32\kavo0.dll
- Deletes c:\windows\1.ex
- Deletes c:\fn20.ex
- Copies filec:\windows\system32\kavo.exe to c:\fn20.ex
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\fn20.ex
- Copies filec:\windows\system32\kavo.exe to d:\fn20.ex
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\zz.rar
- Opens/modifes c:\autoexec.bat
- Moves c:\docume~1\user\locals~1\temp\zz.exe to c:\docume~1\user\locals~1\temp\nod11E.tmp
- Deletes c:\windows\system32\kavo1.dll
- Creates c:\windows\system32\kavo1.dll
Registry Activity
One or more files with the name ZZ[n].EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kava C:\WINDOWS\system32\kavo.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]
Website Activity
One or more files with the name ZZ[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1088 Port:17
- Port 80 IP:61.162.230.86
- TCP:127.0.0.1:1091 Port:17