Associated Malware Groups
The filename is associated with the malware groups:
- Worm
- Cloaked Malware
- Malicious Software
File Behavior
UU[n].EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
- Executes a Process
- Copies files
- Creates a new Background Service on the machine
- Enables an In Process Object/Server - Common with DLL Injections
- The Process is polymorphic and can change its structure
UU[n].EXE has been the subject of the following behavior:
- Executed as a Process
- Executed from Temporary Folders
- Created as a process on disk
- This program is often downloaded from the web
- Deleted as a process from disk
- Has code inserted into its Virtual Memory space by other programs
Country Of Origin
The filename UU[n].EXE was first seen on Feb 20 2008 in the following geographical regions of the Prevx community:
- SPAIN on Feb 20 2008
- The UNITED KINGDOM on Jul 19 2008
- JAPAN on Aug 19 2008
- URUGUAY on Sep 13 2008
File Name Aliases
UU[n].EXE can also use the following file names:
- UU[1].EXE
- 02538241.DAT
- TRU8.TMP
- UU.EXE
- NOD7.TMP
- 71511434.DAT
- 15366057.DAT
- 10562767.SVD
- 33873858.DAT
- 65432218.EXE
- 31478672.EXE
- 89908827.DAT
- TRU6.TMP
- TRU16B.TMP
- 47769882.SVD
- 25417431.DAT
- 72967016.DAT
Filesizes
The following file size has been seen:
- 109,568 bytes
- 108,032 bytes
- 111,410 bytes
- 129,536 bytes
- 2,584 bytes
- 108,544 bytes
- 139,264 bytes
File Type
The filename UU[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name UU[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\rb.exe
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\mmvo.exe
- Copies filec:\windows\rb.exe to c:\windows\system32\mmvo.exe
- Deletes c:\windows\system32\mmvo0.dll
- Creates c:\windows\system32\mmvo0.dll
- Deletes c:\windows\rb.exe
- Deletes c:\awqlpyrd.co
- Copies filec:\windows\system32\mmvo.exe to c:\awqlpyrd.co
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Deletes d:\awqlpyrd.co
- Copies filec:\windows\system32\mmvo.exe to d:\awqlpyrd.co
- Deletes d:\autorun.in
- Creates d:\autorun.in
- Deletes c:\docume~1\user\locals~1\temp\uu.rar
- Deletes c:\windows\system32\ddr.ex
- Deletes c:\docume~1\user\locals~1\temp\mg12.tx
- Creates c:\docume~1\user\locals~1\temp\ba60_appcompat.txt
- Deletes c:\docume~1\user\locals~1\temp\help.ex
- Deletes c:\otyh.cm
- Copies filec:\windows\system32\ckvo.exe to c:\otyh.cm
- Deletes d:\otyh.cm
- Copies filec:\windows\system32\ckvo.exe to d:\otyh.cm
- Deletes c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\windows\system32\ckvo0.dl
- Opens/modifes c:\autoexec.bat
- Deletes c:\windows\system32\ddr.exe
- Creates c:\windows\system32\ddr.exe
- Deletes c:\windows\system32\Bitkv0.dll
- Creates c:\windows\system32\Bitkv0.dll
- Deletes c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\help.exe
- Creates c:\docume~1\user\locals~1\temp\1BE98.dmp
- Deletes c:\windows\system32\ckvo.exe
- Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo0.dll
- Creates c:\windows\system32\ckvo0.dll
- Creates c:\docume~1\user\locals~1\temp\help1.rar
- Deletes c:\windows\system32\ckvo1.dll
- Creates c:\windows\system32\ckvo1.dll
Website Activity
One or more files with the name UU[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1089 Port:17
- Port 80 IP:60.169.1.92
- TCP:127.0.0.1:1090 Port:17
- Port 80 IP:221.1.204.243
- TCP:127.0.0.1:1093 Port:17
- TCP:127.0.0.1:1096 Port:17
- TCP:127.0.0.1:1099 Port:17
- TCP:127.0.0.1:1101 Port:17
- TCP:127.0.0.1:1104 Port:17
- TCP:127.0.0.1:1107 Port:17
- TCP:127.0.0.1:1109 Port:17
- TCP:127.0.0.1:1112 Port:17
- TCP:127.0.0.1:1115 Port:17
- TCP:127.0.0.1:1118 Port:17
- TCP:127.0.0.1:1121 Port:17
- TCP:127.0.0.1:1124 Port:17
- TCP:127.0.0.1:1127 Port:17
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.