File Investigation Report
TJ8ODYMW.EXECloaked Malware
Your PC is infected. The file called TJ8ODYMW.EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including TJ8ODYMW.EXE as soon as possible. The free version of Prevx CSI will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx CSI.
Associated Malware Groups
The filename is associated with the malware groups:
- Cloaked Malware
- Rootkit
- Worm
File Behavior
TJ8ODYMW.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Creates a new Background Service on the machine
- This Process Creates Other Processes On Disk
- Loads and Executes a System Driver File
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Executes a Process
- Copies files
- Injects code into other processes
- Disables Access to the Windows Registry Editior
- Disables Access to the Task Manager built into Windows
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Disables safe mode on your PC
- Modifies Windows Initialization And System Settings Used On Start up
- Includes file creation code which could be used to test for interception by security products
TJ8ODYMW.EXE has been the subject of the following behavior:
- Created as a process on disk
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Copied to multiple locations on the system
- Added as a Registry auto start to load Program on Boot up
- Executed from Temporary Folders
- This program is often downloaded from the web
Country Of Origin
The filename TJ8ODYMW.EXE was first seen on Sep 3 2008 in the following geographical regions of the Prevx community:
- The UNITED KINGDOM on Sep 3 2008
- SPAIN on Sep 9 2008
- HONG KONG on Sep 10 2008
- TAIWAN on Oct 3 2008
- The EUROPEAN UNION on Oct 3 2008
File Name Aliases
TJ8ODYMW.EXE can also use the following file names:
- FF.EXE
- J3EWRO.EXE
- 99054844.SVD
- ABS1.EXE
- 64844332.EXE
- TJ8ODYMW.EXEE
- 00301015.SVD
Filesizes
The following file size has been seen:
- 286,684 bytes
- 190,464 bytes
- 138,425 bytes
- 108,315 bytes
- 112,259 bytes
Vendor, Product and Version Information
Files with the name TJ8ODYMW.EXE have been seen to have the following Vendor, Product and Version Information in the file header:
- ; ; 1.0.0.0
File Type
The filename TJ8ODYMW.EXE refers to many versions of an executable program.
File Activity
One or more files with the name TJ8ODYMW.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\docume~1\user\locals~1\temp\toa7.tmp
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\j3ewro.exe
- Deletes c:\windows\system32\jwedsfdo0.dll
- Creates c:\windows\system32\jwedsfdo0.dll
- Deletes c:\tj8odymw.ex
- Copies filec:\windows\system32\j3ewro.exe to c:\tj8odymw.ex
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\tj8odymw.ex
- Copies filec:\windows\system32\j3ewro.exe to d:\tj8odymw.ex
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\cc1.rar
- Deletes c:\docume~1\user\locals~1\temp\cc.ex
- Deletes c:\docume~1\user\locals~1\temp\ff1.rar
- Deletes c:\docume~1\user\locals~1\temp\ff.ex
- Deletes c:\x.cm
- Copies filec:\windows\system32\j3ewro.exe to c:\x.cm
- Deletes d:\x.cm
- Copies filec:\windows\system32\j3ewro.exe to d:\x.cm
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\cc1.rar
- Deletes c:\docume~1\user\locals~1\temp\cc.exe
- Creates c:\docume~1\user\locals~1\temp\cc.exe
- Deletes c:\windows\system32\kxvo.exe
- Copies filec:\docume~1\user\locals~1\temp\cc.exe to c:\windows\system32\kxvo.exe
- Deletes c:\windows\system32\kxvo0.dll
- Creates c:\windows\system32\kxvo0.dll
- Creates c:\docume~1\user\locals~1\temp\ff1.rar
- Deletes c:\docume~1\user\locals~1\temp\ff.exe
- Creates c:\docume~1\user\locals~1\temp\ff.exe
- Copies filec:\docume~1\user\locals~1\temp\ff.exe to c:\windows\system32\j3ewro.exe
- Deletes c:\windows\system32\jwedsfdo1.dll
- Creates c:\windows\system32\jwedsfdo1.dll
Registry Activity
One or more files with the name TJ8ODYMW.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jvsoft C:\WINDOWS\system32\j3ewro.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tasoft C:\WINDOWS\system32\kxvo.exe
Website Activity
One or more files with the name TJ8ODYMW.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1091 Port:18
- Port 80 IP:61.162.230.87
- TCP:127.0.0.1:1093 Port:18
- TCP:127.0.0.1:1097 Port:19
- TCP:127.0.0.1:1099 Port:18