F.EXE, Prevx

Associated Malware Groups

The filename is associated with the malware groups:

Cloaked Malware
Virus
Malicious Software

File Behavior

F.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
Communicates with other computers using FTP connections
This Process Disables Other Security Products
Contains Exploit Code for the WEBDAV Exploit
Contains DCOM Exploit Code
Adds a Registry Key (RUN) to auto start Programs on system start up
Creates a TCP port which listens and is available for communication initiated by other computers
Can communicate with other computer systems using HTTP protocols
This Process Deletes Other Processes From Disk
Makes outbound connections to other computers using NETBIOSOUT protocols
Registers a Dynamic Link Library File
Can communicate with other computers using TCP protocols
This process creates other processes on disk
Writes to another Process's Virtual Memory (Process Hijacking)
Adds products to the system registry
Executes a Process
Removes Scheduled Tasks from the Windows task queue
Copies files
Creates or uses a background service to access the Internet using HTTP protocols
Injects code into other processes
Performs DNS look ups to resolve URL IP addresses
The Process is polymorphic and can change its structure
Loads and Executes a System Driver File
Found on infected systems and resists interrogation by security products
Uses low level functions to hide itself from the user and from system/security processes

F.EXE has been the subject of the following behavior:

Created as a new Background Service on the machine
Added as a Registry auto start to load Program on Boot up
Executed as a Process
Created as a process on disk
Deleted as a process from disk
Victim of a Heap Based Buffer Overflow Exploit
Executed from Temporary Folders
Copied to multiple locations on the system
Has code inserted into its Virtual Memory space by other programs
Terminated as a Process
Executed by Internet Explorer
Downloaded from covert web sites without the user knowing
This program is often downloaded from the web

Country Of Origin

The filename F.EXE was first seen on May 14 2007 in the following geographical regions of the Webroot community:

The United States on May 14 2007
Romania on May 14 2007
Spain on Jun 21 2007
Philippines on Oct 21 2007
Poland on Mar 25 2008
on Aug 7 2008
Thailand on Aug 7 2008
The United Arab Emirates on Nov 18 2009
The United Kingdom on Nov 18 2009
Russian Federation on May 24 2012

File Name Aliases

F.EXE can also use the following file names:

COOL.EXE
LIBSYS32.EXE
FIREPASSWORD.EXE
BTFLP2.EXE
KAVO.EXE
MSA.EXE
MSB.EXE
HELP[n].EXE
HELP.EXE
MGG.EXE
INO6.COM
AMVO.EXE
N2DE.CMD
HELP.EXE.TMP
W32ONLINEGAMES!I339.EXE
F[1].EXE
J.EXE
M.EXE
2.EXE
DK1.EXE
C1EEF81B-C5D1-4DD3-86AC-6F847767D58E
M4|71985409.EXE
L7|F.EXE
89651948.EXE

Filesizes

The following file size has been seen:

12,264 bytes
22,528 bytes
96,259 bytes
40,960 bytes
177,059 bytes
103,314 bytes
156,160 bytes
102,937 bytes

File Type

The filename F.EXE is used by multiple object types including executable programs,objects.

File Activity

One or more files with the name F.EXE creates, deletes, copies or moves the following files and folders:

Creates c:\windows\system32\drivers\klif.sys
Deletes c:\windows\system32\drivers\klif.sys
Deletes c:\windows\system32\kavo.exe
Deletes c:\windows\system32\kavo0.dll
Creates c:\windows\system32\kavo0.dll
Deletes c:\f.ex
Copies filec:\windows\system32\kavo.exe to c:\f.ex
Deletes c:\autorun.in
Creates c:\autorun.in
Deletes d:\f.ex
Copies filec:\windows\system32\kavo.exe to d:\f.ex
Deletes d:\autorun.in
Creates d:\autorun.in
Deletes c:\docume~1\user\locals~1\temp\cc.rar
Deletes c:\windows\system32\ddr.ex
Deletes c:\tyktjfww.ex
Copies filec:\windows\system32\ckvo.exe to c:\tyktjfww.ex
Deletes d:\tyktjfww.ex
Copies filec:\windows\system32\ckvo.exe to d:\tyktjfww.ex
Deletes c:\docume~1\user\locals~1\temp\help1.rar
Deletes c:\windows\tt.exe
Deletes c:\docume~1\user\locals~1\temp\ff.rar
Deletes c:\windows\system32\ckvo0.dl
Opens/modifes c:\autoexec.bat
Deletes c:\windows\system32\ddr.exe
Creates c:\windows\system32\ddr.exe
Deletes c:\windows\system32\ckvo.exe
Copies filec:\windows\system32\ddr.exe to c:\windows\system32\ckvo.exe
Deletes c:\windows\system32\ckvo0.dll
Creates c:\windows\system32\ckvo0.dll
Moves c:\docume~1\user\locals~1\temp\cc.exe to c:\docume~1\user\locals~1\temp\tru10F.tmp
Creates c:\windows\tt.exe
Creates c:\docume~1\user\locals~1\temp\help1.rar
Deletes c:\windows\system32\tavo.exe
Copies filec:\windows\tt.exe to c:\windows\system32\tavo.exe
Deletes c:\windows\system32\tavo0.dll
Creates c:\windows\system32\tavo0.dll
Deletes c:\docume~1\user\locals~1\temp\help.exe
Creates c:\docume~1\user\locals~1\temp\help.exe
Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
Deletes c:\windows\system32\ckvo1.dll
Creates c:\windows\system32\ckvo1.dll

Website Activity

One or more files with the name F.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:127.0.0.1:1097 Port:17
Port 80 IP:61.162.230.86
TCP:127.0.0.1:1098 Port:18
Port 80 IP:60.169.1.92
TCP:127.0.0.1:1102 Port:17
TCP:127.0.0.1:1107 Port:18
TCP:127.0.0.1:1110 Port:18
TCP:127.0.0.1:1113 Port:17
TCP:127.0.0.1:1115 Port:17

Help the Webroot Community to fight cyber crime

We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.

The filename referred to in this report is often associated with PC infections. If you have a program of this name on your PC and would like to help our research please tell us what you know in the form below:

I have this file on my PC and believe it is an infection
I have this file on my PC and think it has made my PC slower
My firewall asked if I wanted to let this file have access to the Internet
My PC will not work since I noticed this file on it
My antivirus detected this file but won't remove it
I know what this file is and believe it is a Safe program
I am the author of this file and would like to discuss how to have it reclassified as safe

Further Comments or information you'd like to share: (optional)

Your email address if you would like us to contact you about this file and any concerns you may have: (optional)

PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.

F.EXE

Free PC Cleanup from Webroot