Prevx Research Division
11.TMP
Cloaked MalwareFree PC Cleanup from Webroot
Use Webroot SecureAnywhere to remove 11.TMP.
"Just when you thought it couldn't get any better or faster. The Webroot scanning engine is 'high octane' with a hidden nitrous oxide system. Bravo!!!" W. Lodzinski, SecureAnywhere User
Associated Malware Groups
The filename is associated with the malware groups:
- Cloaked Malware
- Malware Dropper
File Behavior
11.TMP has been seen to perform the following behavior:
- Writes to another Process's Virtual Memory (Process Hijacking)
- Executes Processes stored in Temporary Folders
- This process creates other processes on disk
- Executes a Process
- This Process Deletes Other Processes From Disk
- Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
- Registers a Dynamic Link Library File
- Creates new folders on the system
- Performs DNS look ups to resolve URL IP addresses
- The Process is packed and/or encrypted using a software packing process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Can communicate with other computer systems using HTTP protocols
- Disables the Notification Balloon for the Windows Security Center
- Disables the Windows Built in Firewall enabling rogue processes to access the internet without your knowledge or permission
- Disables the Windows Security Center Service
- Creates a new Background Service on the machine
- Uses DNS to retrieve the IP address for web sites
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
11.TMP has been the subject of the following behavior:
- Executed as a Process
- Has code inserted into its Virtual Memory space by other programs
- Added as a Registry auto start to load Program on Boot up
- Created as a process on disk
- Deleted as a process from disk
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Enabled as an In Process Object/Server - Common with DLL Injections
Country Of Origin
The filename 11.TMP was first seen on Jun 22 2007 in the following geographical regions of the Webroot community:
- Europe on Jun 22 2007
- Italy on Jul 27 2007
- Spain on Sep 6 2008
- The United States on Sep 6 2008
- Mexico on Apr 29 2010
- South Africa on May 21 2010
File Name Aliases
11.TMP can also use the following file names:
- KERNELS32.EXE
- SERVICES.EXE
- EMAIL.EXE
- EMAIL[1].EXE
- LOAD_001.EXE
- EDLP.SUO
- D.TMP
- 19.TMP
- 14.TMP
- 51.TMP
- 1B.TMP
- 7AE.TMP
Filesizes
The following file size has been seen:
- 243,381 bytes
- 32,704 bytes
- 11,100 bytes
- 75,935 bytes
- 39,936 bytes
- 1,323,008 bytes
- 27,136 bytes
File Type
The filename 11.TMP is used by multiple object types including executable programs,Dynamic Link LIbraries.
File Activity
One or more files with the name 11.TMP creates, deletes, copies or moves the following files and folders:
- Deletes c:\windows\services.exe
- Copies filec:\windows\services.exe to c:\windows\services.exe
- Deletes c:\windows\file.bat
Network Activity
One or more files with the name 11.TMP performs the following network events:
- DNS Lookup206.51.233.137 206.51.233.137
- DNS name server0.10.66.1
Website Activity
One or more files with the name 11.TMP interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:10.10.66.1:53 Port:6
- TCP:10.10.66.1:53 Port:6
Help the Webroot Community to fight cyber crime
We are always looking for ways to improve the quality and speed of research to help us protect you from malicious software and cyber crime.
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.