Prevx Research Division
WPDNSE.EXE
Cloaked MalwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove WPDNSE.EXE.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Cloaked Malware
- Worm
- Malicious Software
File Behavior
WPDNSE.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes a Process
- This Process Deletes Other Processes From Disk
- This process creates other processes on disk
- Registers a Dynamic Link Library File
- Creates new folders on the system
- Copies files
- Injects code into other processes
- Performs DNS look ups to resolve URL IP addresses
- Modifies of the style sheet within Windows
- Creates a TCP port which listens and is available for communication initiated by other computers
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Can communicate with other computer systems using HTTP protocols
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Adds products to the system registry
- Executes Processes stored in Temporary Folders
- Deletes an ActiveX component
- Enables an In Process Object/Server - Common with DLL Injections
- Adds an ActiveX component changing or modifying the function of your browser
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
- Enables the system to use a Communications Proxy Server
- Adds new menu items in the Internet Explorer Right Click menu
- Adds a Registry Key (EXPLORER) to auto start Programs on system start Boot up
- Creates new file extentions so that Internet Explorer will automatically open and potentially execute additional file types
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Loads and Executes a System Driver File
- Terminates Processes
- Changes to the file command map within the registry
- Enables a COM Object/Server on the Local Machine
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Disables Access to the Task Manager built into Windows
- Disables Access to the Windows Registry Editior
- Disables the built in Windows File Protection System
- Sets processes to start during user logon
- Found on infected systems and resists interrogation by security products
WPDNSE.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Added as a Registry auto start to load Program on Boot up
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Registered as a Dynamic Link Library File
- Copied to multiple locations on the system
- The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Deleted as a process from disk
- Executed by Internet Explorer
- Enabled as a COM Object/Server on the Local Machine
Country Of Origin
The filename WPDNSE.EXE was first seen on May 3 2007 in the following geographical regions of the Webroot community:
- on May 3 2007
- Europe on May 3 2007
- Turkey on May 12 2007
- Japan on Jun 1 2007
- Australia on Jun 1 2007
- Italy on Oct 12 2009
- Thailand on Jan 13 2010
- The United Kingdom on Jan 13 2010
- Brazil on Jul 18 2010
File Name Aliases
WPDNSE.EXE can also use the following file names:
- ANNEW.EXE
- WINDOWS.EXE
- SHOW.EXE
- DOWNLOAD.EXE
- MSDOS.PIF
- STARTUP.EXE
- PREVX 3.0.EXE
- GIRL.EXE
- PROGRAMS.EXE
- START MENU.EXE
- NG_TEMP.EXE
- MICROSOFT OFFICE.EXE
- ACCESSORIES.EXE
- DATA.OCT
- WINUPGRO.EXE
- ADC.EXE
- GOOGLETOOLBARNOTIFIER.EXE
- SETUP.EXE
- INSTALL.EXE
- MSMSGS.EXE
- CRAC.EXE
- RUN.EXE
- WCESCOMM.EXE
- ISUSPM.EXE
- PCSUITE.EXE
- NMBGMONITOR.EXE
- PATCH.EXE
- INSTALL_CRACK.EXE
- KEY_GEN.EXE
- KEYGEN.EXE
- INSTALL_PATCH.EXE
- NMINDEXSTORESVR.EXE
- DOPUSRT.EXE
- SETUP(1).EXE
- GOOGLEUPDATE.EXE
- HPTLBXFX.EXE
- TOSCDSPD.EXE
- BTDNA.EXE
- DAEMON.EXE
- MCC.EXE
- YAHOOMESSENGER.EXE
- KEY_GENERATOR.EXE
- RTHDVCPL.EXE
- TOMTOMHOMERUNNER.EXE
- READER_SL.EXE
- REGSRVC.EXE
- START.EXE
- MSNMSGR.OLD
- MSNMSGR.EXE
- MSNMSGR.APATCH.BAK
- MSNMSGER.EXE
- SEX.EXE
- MY PICTURES.EXE
- DOWNLOADS.EXE
- MY DOCUMENTS.EXE
- WINDOW.EXE
- B.EXE
- MSNMSGR.EXE.LMPBAK
- S-1-5-21-1078081533-1972579041-682003330-1003.EXE
- 60713089.EXE
Filesizes
The following file size has been seen:
- 560,640 bytes
- 5,354,792 bytes
- 5,674,352 bytes
- 3,954,000 bytes
- 227,328 bytes
- 909,312 bytes
File Type
The filename WPDNSE.EXE refers to many versions of an executable program.
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.