Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malware Downloader
- Spyware
- Malware Dropper
- Malicious Software
File Behavior
LWPWER.EXE has been seen to perform the following behavior:
- Executes a Process
- Creates system tray popups, messages, errors and security warnings
- This process creates other processes on disk
- The Process is packed and/or encrypted using a software packing process
- Adds products to the system registry
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This Process Deletes Other Processes From Disk
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Can communicate with other computer systems using HTTP protocols
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process is a file infector which modifies program files to include a copy of the infection
- Visits web sites on your PC without you knowing
- Executes Processes stored in Temporary Folders
LWPWER.EXE has been the subject of the following behavior:
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Executed as a Process
- This program is often downloaded from the web
- Created by processes which appear to be checking for interception by security products
- Executed from Temporary Folders
- Added as a Registry auto start to load Program on Boot up
- Terminated as a Process
- Registered as a Dynamic Link Library File
Country Of Origin
The filename LWPWER.EXE was first seen on Jul 10 2008 in the following geographical regions of the Prevx community:
- The EUROPEAN UNION on Jul 10 2008
- GERMANY on Aug 7 2008
- SPAIN on Aug 7 2008
- ITALY on Aug 26 2008
- The UNITED KINGDOM on Sep 5 2008
- The UNITED STATES on Sep 24 2008
File Name Aliases
LWPWER.EXE can also use the following file names:
- EMPA.EXE
- UNINSTALLER[1].EXE
- UNINSTALLER[2].EXE
- 01C90FCC42120F00_UNINSTALLER[1]_EXE.PE
- 01C90FCC42139630_LWPWER_EXE.PE
- D100526[n].EXE
- 90622001.EXE
- 01287162.EXE
- SFSRV.EXE
- SFSRV.EXE.XXX
- UNINSTALLER[3].EXE
- 01C91A4A3F73BA00_UNINSTALLER[1]_EXE.PE
- 01C91A4A3FADCB20_LWPWER_EXE.PE
- 01C91A4A4DD1CE50_UNINSTALLER[1]_EXE.PE
- 01C91A4A4DD663E0_LWPWER_EXE.PE
- 01C91A4B1E80E080_UNINSTALLER[2]_EXE.PE
- 01C91A4B1E8267B0_EMPA_EXE.PE
- 01C91A4BDD078A50_UNINSTALLER[1]_EXE.PE
- 01C91A4BDD2AAFA0_LWPWER_EXE.PE
- 01C91AFE85CDF6F0_UNINSTALLER[1]_EXE.PE
- 01C91AFE85CF7E20_LWPWER_EXE.PE
- 01C91AFEFEB7F000_UNINSTALLER[1]_EXE.PE
- 01C91AFEFF1B4330_LWPWER_EXE.PE
- 01C91AFF149CEBC0_UNINSTALLER[1]_EXE.PE
- DVECQSG.TMP
- YRCMTDY.TMP
- 20686664.EXE
- 13324964.EXE
- 4683[n].EXE
- LWPOWER.EXE
- 034CB529-4759-4EFA-825D-6369E7E8D414_CATCHME.TMP
- 01C921818DFEF240_LWPWER_EXE.PE
- 01C9218228B218B0_LWPWER_EXE.PE
- UNINSTALLER[n].EXE
- DD71.EXE
- KOXMKPV.TMP
Filesizes
The following file size has been seen:
- 1,185,556 bytes
- 70,144 bytes
- 1,201,605 bytes
- 1,186,232 bytes
- 851,968 bytes
- 950,586 bytes
- 1,189,857 bytes
- 55,808 bytes
File Type
The filename LWPWER.EXE is used by multiple object types including objects,executable programs,self extracting compressed files.
File Activity
One or more files with the name LWPWER.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\Program Files\PCHealthCenter
- Deletes c:\windows\system32\YUR18.tmp
- Copies filec:\program files\pchealthcenter\1.exe to c:\x
- Copies filec:\x to c:\windows\system32\YUR18.exe
- Deletes c:\windows\system32\YUR1C.tmp
- Copies filec:\program files\pchealthcenter\2.exe to c:\x
- Copies filec:\x to c:\windows\system32\YUR1C.exe
- Deletes c:\windows\system32\YUR20.tmp
- Copies filec:\program files\pchealthcenter\3.exe to c:\x
- Copies filec:\x to c:\windows\system32\YUR20.exe
- Deletes c:\windows\system32\YUR24.tmp
- Copies filec:\program files\pchealthcenter\4.exe to c:\x
- Copies filec:\x to c:\windows\system32\YUR24.exe
- Copies filec:\program files\pchealthcenter\1.ico to c:\windows\system32\1.ic
- Creates c:\documents and settings\user\desktop\QUALITY PORN.ur
- Copies filec:\program files\pchealthcenter\2.ico to c:\windows\system32\2.ic
- Creates c:\documents and settings\user\desktop\BEST ZOO PORN.ur
- create folder C:\Program Files\MSA
- Creates c:\documents and settings\user\desktop\MS Antivirus.lnk
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\135[1]
- Copies filec:\program files\msa\MSA.cpl to c:\windows\system32\MSa.cpl
- Deletes c:\program files\msa\MSA.ooo
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\lb[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\l[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\s[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\y2[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\y1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\v1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\y3[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\r[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\tb1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\tb2[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\sp[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\pb2[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\pb1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\pb4[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\pb3[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\pr[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\l1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\l11[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\l2[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\l3[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\b1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\b2[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\b3[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\b4[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\iy2f8yu8\a[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\77xkpe1o\133[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\8daj1s8j\w1[1]
- Creates c:\documents and settings\user\local settings\temporary internet files\content.ie5\opljk1s3\w2[1]
Website Activity
One or more files with the name LWPWER.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1100 Port:15
- Port 80 IP:91.208.0.237
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.