What you should do about :

Your PC may be infected. The presence of a file called is a possible sign of infection.

You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including . Don't take the risk, check your PC now.

Download Prevx CSI Now

What we know about :

The filename was first seen on Sep 4 2007 in The EUROPEAN UNION. It has also been seen in the following geographical regions of the Prevx community:

  • SPAIN on Sep 28 2007
  • NETHERLANDS on Jul 18 2008
  • SERBIA AND MONTENEGRO on Sep 4 2007
  • BAHAMAS on Sep 28 2007
The filename refers to many versions of an executable program.

The most common file size is 593,920 bytes. But the following file sizes have also been seen:

  • 76,288 bytes
  • 59,392 bytes
  • 30,208 bytes
  • 16,889,958 bytes
  • 77,824 bytes
  • 303,104 bytes

The unsafe files using this name are associated with the malware group Trojan.ModalDigits.Some files using the name are also associated with the malware groups:
  • Trojan.Downloader
  • pchealthcenter:Spyware-a
  • BACKDOOR.HUPIGON.YBO

These files may have the following Vendor, Product, Version Information in the file header

  • The following Vendor, Product, Version Information has also been reported:
 Picaso Ltd; ; 0, 0, 0, 177 Microsoft; ; 1.00

has been seen to perform the following behavior(s):

  • The Process is packed and/or encrypted using a software packing process
  • Writes to another Process's Virtual Memory (Process Hijacking)
  • Can communicate with other computer systems using HTTP protocols
  • Executes Processes stored in Temporary Folders
  • This Process Creates Other Processes On Disk
  • Executes a Process
  • This Process Deletes Other Processes From Disk
  • Registers a Dynamic Link Library File
  • Creates a new Background Service on the machine
  • Looks at the contents of the autoexec.bat file
  • Reads email address and phone book details
  • Uses DNS to retrieve the IP address for web sites
  • Visits web sites on your PC without you knowing
  • The Process is polymorphic and can change its structure
  • Opens browser pop ups
  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • Creates system tray popups, messages, errors and security warnings
  • The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

has been the subject of the following behavior(s):

  • Created as a process on disk
  • Executed as a Process
  • Has code inserted into its Virtual Memory space by other programs
  • Deleted as a process from disk
  • This program is often downloaded from the web
  • Registered as a Dynamic Link Library File
  • Downloaded from covert web sites without the user knowing
  • Executed from Temporary Folders
  • Copied to multiple locations on the system
  • Added as a Registry auto start to load Program on Boot up

can also use the following file names:

  • 29178831.DAT
  • 57638334.DAT
  • 61936042.DAT
  • 40491573.SVD
  • YESETUP[1].EXE
  • 49992775.EXE
  • YESETUP.EXE
  • WINSHOW[1].EXE
  • 119EDJ.EXE
  • 96924185.SVD
  • 7K8K3PC8.EXE
  • 60N8I9GG.EXE
  • SYS11.EXE
  • SYS6.EXE
  • 56434596.SVD
  • ZXRALND.TMP
  • SYS34.EXE
  • SYSC8.EXE
  • SYS1CD.EXE
  • SYS1C.EXE
  • SYS18.EXE
  • SYS25.EXE
  • SYS83.EXE
  • 76321512.EXE
  • MSCD.EXE
  • 99426645.SVD
  • CSIBD.TMP
  • MASTEROFDEFENSE.EXE
  • 14450086.EXE

Virus, Spyware & Malware Center