File Investigation Report
3.EXECloaked Malware
Your PC may be infected. The presence of a file called 3.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including 3.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Malware Downloader
- Spyware
File Behavior
3.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Writes to another Process's Virtual Memory (Process Hijacking)
- Can communicate with other computer systems using HTTP protocols
- Executes Processes stored in Temporary Folders
- This Process Creates Other Processes On Disk
- Executes a Process
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Creates a new Background Service on the machine
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Uses DNS to retrieve the IP address for web sites
- Visits web sites on your PC without you knowing
- The Process is polymorphic and can change its structure
- Opens browser pop ups
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Creates system tray popups, messages, errors and security warnings
- Modifies System Runtime Policies to limit system usability
3.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- This program is often downloaded from the web
- Registered as a Dynamic Link Library File
- Downloaded from covert web sites without the user knowing
- Executed from Temporary Folders
- Copied to multiple locations on the system
- Added as a Registry auto start to load Program on Boot up
- Terminated as a Process
Country Of Origin
The filename 3.EXE was first seen on Sep 4 2007 in the following geographical regions of the Prevx community:
- The EUROPEAN UNION on Sep 4 2007
- SERBIA AND MONTENEGRO on Sep 4 2007
- BAHAMAS on Sep 28 2007
- SPAIN on Sep 28 2007
- NETHERLANDS on Nov 20 2007
- URUGUAY on Oct 7 2008
File Name Aliases
3.EXE can also use the following file names:
- 29178831.DAT
- 57638334.DAT
- 61936042.DAT
- 40491573.SVD
- YESETUP[1].EXE
- 49992775.EXE
- YESETUP.EXE
- WINSHOW[1].EXE
- 119EDJ.EXE
- 96924185.SVD
- 7K8K3PC8.EXE
- 60N8I9GG.EXE
- SYS11.EXE
- SYS6.EXE
- 56434596.SVD
- ZXRALND.TMP
- SYS34.EXE
- SYSC8.EXE
- SYS1CD.EXE
- SYS1C.EXE
- SYS18.EXE
- SYS25.EXE
- SYS83.EXE
- MASTEROFDEFENSE.EXE
- 14450086.EXE
- ZYNDLE080831.EXE
- 75150026.EXE
- 94215555.EXE
Filesizes
The following file size has been seen:
- 76,288 bytes
- 59,392 bytes
- 30,208 bytes
- 16,889,958 bytes
- 77,824 bytes
- 31,892 bytes
- 70,632 bytes
- 70,271 bytes
Vendor, Product and Version Information
Files with the name 3.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- Picaso Ltd; ; 0, 0, 0, 177
- Microsoft; ; 1.00
- NirSoft; Internet Explorer Passwords Viewer; 1.06
File Type
The filename 3.EXE refers to many versions of an executable program.
File Activity
One or more files with the name 3.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\789fe993be.dll
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\QMWALFAGEEQ.exe
- Deletes c:\docume~1\user\locals~1\temp\install.exe
- Deletes c:\docume~1\user\locals~1\temp\QMWALFAGEEQ.zbc
- Deletes c:\docume~1\user\locals~1\temp\QMWALFAGEEQ.exe
- Creates c:\windows\system32\oobe\wmiprvse.exe
- create folder C:\WINDOWS\system32\oobe\2317
- Deletes c:\windows\system32\oobe\2317\svchost.exe
- Creates c:\windows\system32\oobe\2317\svchost.exe
- Deletes c:\windows\system32\oobe\vwwzkwbiye.dll
- Creates c:\windows\system32\oobe\vwwzkwbiye.dll
- Creates c:\windows\f58f6b84c0.dll
- Creates c:\docume~1\user\locals~1\temp\$$306609.bat
- Deletes c:\docume~1\user\locals~1\temp\$$306609.bat
Registry Activity
One or more files with the name 3.EXE creates or modifies the following registry keys and values:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\system32\oobe\2317\svchost.exe C:\WINDOWS\system32\oobe\2317\svchost.exe:*:Enabled:svchost
Network Activity
One or more files with the name 3.EXE performs the following network events:
- DNS Lookup59.60.30.216 udp.hjob123.com
Website Activity
One or more files with the name 3.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:59.60.30.216:31890 Port:13
- TCP:127.0.0.1:1096 Port:16
- Port 80 IP:59.60.30.210
- www .qqhudong .cn / usersetup .asp?action=027B04E05BE9C3AD11EFF8364C0F7008436CB1B5107441BBC136545931684A0BDF4DD741245DB1256C8ADF1A18A827E643FB175282FC3D4B
- www .qqhudong .cn / usersetup .asp?action=6D663F4F2B2AC7480D4710CBFE9572147B8AC3CD9F5C6F6D622F0718CBE973ABBD20504A221AF1E32F75EF5EF5AD3F2D843CE41840DF8BBFA8EC05EB4ED5E1E4F41D3930173DE686BDA27E22232B6796EFDC24927BC7BEB62988B8122854E74BAA8E59BD69BA7F58204C
- TCP:59.60.30.216:31890 Port:13
- TCP:59.60.30.216:31890 Port:18