Prevx Research Division
C.EXE
System Back DoorFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove C.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- System Back Door
- Cloaked Malware
- Malware Downloader
- Malicious Software
File Behavior
C.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Adds products to the system registry
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Can communicate with other computer systems using HTTP protocols
- Registers a Dynamic Link Library File
- Copies files
- Creates or uses a background service to access the Internet using HTTP protocols
- Injects code into other processes
- Removes Scheduled Tasks from the Windows task queue
- Performs DNS look ups to resolve URL IP addresses
- Creates a new Background Service on the machine
- Uses DNS to retrieve the IP address for web sites
- Found on infected systems and resists interrogation by security products
- Registers or amends SMTP Mail Servers on the public internet
- Looks at the contents of the autoexec.bat file
- Uses low level raw disk access which could bypass security applications and checks
- Reads email address and phone book details
- Creates a TCP port which listens and is available for communication initiated by other computers
C.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Executed from Temporary Folders
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Registered as a Dynamic Link Library File
- Copied to multiple locations on the system
- Created as a new Background Service on the machine
- Deleted as a process from disk
- This program is often downloaded from the web
Country Of Origin
The filename C.EXE was first seen on May 14 2007 in the following geographical regions of the Webroot community:
- The United States on May 14 2007
- Canada on May 14 2007
- Spain on Oct 19 2007
- Uruguay on Jul 7 2008
- Romania on Jul 7 2008
- Europe on Oct 14 2009
- The United Kingdom on Oct 14 2009
- Mexico on Nov 18 2009
- Philippines on May 22 2012
File Name Aliases
C.EXE can also use the following file names:
- UNLEO.EXE
- ORVOM.EXE
- KPLOE.EXE
- CFZCO.EXE
- EZFIM.EXE
- ASSEE.EXE
- MBTIQ.EXE
- CCMKG.EXE
- ABPIA.EXE
- WBJYW.EXE
- MSIIK.EXE
- UAKYE.EXE
- SNLWI.EXE
- YQCIO.EXE
- CKSQO.EXE
- KDPAO.EXE
- UDDGI.EXE
- AFXEC.EXE
- SDRCC.EXE
- WRXYO.EXE
- EGIAY.EXE
- WSKKO.EXE
- UUUAA.EXE
- GBRKE.EXE
- QCUAW.EXE
- MAWUE.EXE
- OOACG.EXE
- USYKO.EXE
- MAMAY.EXE
- ORTCW.EXE
- OFRGQ.EXE
- GHHKM.EXE
- SPLAM.EXE
- YCIMS.EXE
- KKQAG.EXE
- CXXGM.EXE
- GIOOE.EXE
- KWAYC.EXE
- OSCQA.EXE
- UTRIE.EXE
- OBFEA.EXE
- AGYAQ.EXE
- UBZYQ.EXE
- IGSSY.EXE
- IWCQM.EXE
- KVHYQ.EXE
- IIYEK.EXE
- EKESK.EXE
- EDZWQ.EXE
- SXHOK.EXE
- EAQOA.EXE
- MKMUM.EXE
- YSWAC.EXE
- CXTCG.EXE
- QPNIM.EXE
- QHRQA.EXE
- IQCIU.EXE
- YKKYU.EXE
- EVPEU.EXE
- UFZUK.EXE
- ISUIW.EXE
- AUEOC.EXE
- QFLMO.EXE
- YIWQG.EXE
- UVJUC.EXE
- INSTALLERS (n).EXE
- TEST.EXE
- MRG-0752..EXE
- WRDRIVE32.EXE
- CKGCG.EXE
- KQQKK.EXE
- UWMUK.EXE
- QRHQI.EXE
- UZJUC.EXE
- SFNSO.EXE
- QUEQA.EXE
- EECEU.EXE
- MYKAA.EXE
- OBTOW.EXE
- GIOGQ.EXE
- USMUK.EXE
- OLNOG.EXE
- QSWQU.EXE
- MNJIQ.EXE
- MIEMS.EXE
- KGAGC.EXE
- OUSKE.EXE
- CVLYA.EXE
- EFVAG.EXE
- WDLSC.EXE
- YHLYW.EXE
- WACWI.EXE
- IGSEG.EXE
- ICSEG.EXE
- WDDWA.EXE
- GVJCS.EXE
- QICQK.EXE
- UWUUM.EXE
- MSAA.EXE
- MSAB.EXE
- MSAC.EXE
- MSAD.EXE
- MSAE.EXE
- MSAF.EXE
- MSAG.EXE
- MSAH.EXE
- MSAI.EXE
- MSAJ.EXE
- MSAK.EXE
- MSAL.EXE
- MSAM.EXE
- MSAN.EXE
- MSAO.EXE
- MSAP.EXE
- MSAQ.EXE
- MSAR.EXE
- MSAS.EXE
- MSAT.EXE
- MSAU.EXE
- MSAV.EXE
- MSAW.EXE
- MSAX.EXE
- MSAY.EXE
- MSAZ.EXE
- MSA0.EXE
- MSB5.EXE
- MSB6.EXE
- MSB7.EXE
- MSB8.EXE
- MSB9.EXE
- MSCA.EXE
- MSCB.EXE
- MSCC.EXE
- MSCD.EXE
- MSCE.EXE
- MSCF.EXE
- MSCG.EXE
- MSCH.EXE
- MSCI.EXE
- MSCJ.EXE
- MSCK.EXE
- MSCL.EXE
- MSCM.EXE
- MSCN.EXE
- MSCO.EXE
- MSCP.EXE
- MSCR.EXE
- MSCS.EXE
- MSCQ.EXE
- MSCT.EXE
- MSCU.EXE
- MSCV.EXE
- MSCW.EXE
- MSCX.EXE
- SOOO5[n].EXE
- MSD8.EXE
- MSG.EXE
- MSH.EXE
- MSI.EXE
- MSJ.EXE
- MSK.EXE
- MSL.EXE
- MSM.EXE
- MSN.EXE
- MSO.EXE
- MSP.EXE
- MSQ.EXE
- MSR.EXE
- MSS.EXE
- MST.EXE
- MSU.EXE
- MSV.EXE
- MSW.EXE
- MSX.EXE
- MSY.EXE
- MSZ.EXE
- MSA.EXE
- MSB.EXE
- MSC.EXE
- MSD.EXE
- MSE.EXE
- MSF.EXE
- SOOO5.EXE
- 1[1].EXE
- D.EXE
- F.EXE
- I.EXE
- L.EXE
- 1.TMP
- 19.TMP
- 1B.TMP
- QG.EXE
- 64DA.EXE
- M1|1_006.EXE
- M4|80929916.EXE
- M4|90281978.EXE
- MS0.EXE
- MS1.EXE
- MS2.EXE
- MS3.EXE
- MS4.EXE
- MS5.EXE
- MS6.EXE
- MS7.EXE
- MS8.EXE
- MS9.EXE
Filesizes
The following file size has been seen:
- 90,624 bytes
- 51,200 bytes
- 175,616 bytes
- 731,734 bytes
- 165,888 bytes
- 29,184 bytes
- 22,829 bytes
- 141,312 bytes
- 23,040 bytes
File Type
The filename C.EXE refers to many versions of an executable program.
Network Activity
One or more files with the name C.EXE performs the following network events:
- DNS Lookup72.8.143.182 serv1.alwaysproxy3.info
- DNS Lookup72.8.143.184 serv1.alwaysproxy3.info
Website Activity
One or more files with the name C.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:72.8.143.184:18386 Port:12
- TCP:72.8.143.184:18386 Port:13
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.