Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- Malware Dropper
- Malware Downloader
File Behavior
CODEC[n].EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- Copies files
- This Process is a file infector which modifies program files to include a copy of the infection
- Opens browser pop ups
- Executes a Process
- Terminates Processes
- Writes to another Process's Virtual Memory (Process Hijacking)
- Found on infected systems and resists interrogation by security products
- Registers a Dynamic Link Library File
- Injects code into other processes
- Creates new folders in the file system
- Enables an In Process Object/Server - Common with DLL Injections
- Creates a new Background Service on the machine
- The Process is polymorphic and can change its structure
- Adds products to the system registry
- Can communicate with other computer systems using HTTP protocols
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
CODEC[n].EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Executed from Temporary Folders
- Terminated as a Process
- Registered as a Dynamic Link Library File
- Deleted as a process from disk
- Executed by Internet Explorer
- Added as a Registry auto start to load Program on Boot up
Country Of Origin
The filename CODEC[n].EXE was first seen on Sep 5 2007 in the following geographical regions of the Prevx community:
- SPAIN on Sep 5 2007
- The UNITED STATES on Sep 5 2007
- The UNITED KINGDOM on Sep 5 2008
File Name Aliases
CODEC[n].EXE can also use the following file names:
- CODEC[1].EXE
- 531.EXE
- SCAN.EXE
- 05391631.EXE
- 91036185.EXE
- 50035027.EXE
- CODEC.EXE
- WINLOGON.EXE
- 02679357.EXE
- 94918279.EXE
- MEDIA_CODECS[n].EXE
- CODEC_1.EXE
- CODEC_2.EXE.DAP
- EBOOK.EXE
- EBOOK[n].EXE
- CODECCANQ6Q6E.EXE
- 00878144.EXE
- 21183048.DAT
- 97316713.DAT
- 65531038.EXE
- 09531384.EXE
- 187.EXE
- 87830567.EXE
- 15.EXE
- 0.EXE
Filesizes
The following file size has been seen:
- 42,496 bytes
- 107,584 bytes
- 4,065,117 bytes
- 31,236 bytes
- 32,768 bytes
- 45,060 bytes
- 73,728 bytes
File Type
The filename CODEC[n].EXE refers to many versions of an executable program.
File Activity
One or more files with the name CODEC[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\braviax.exe
- Creates c:\windows\system32\dllcache\figaro.sys
- Copies filec:\windows\system32\dllcache\figaro.sys to c:\windows\drivers\beep.sys
- Copies filec:\windows\system32\dllcache\figaro.sys to c:\windows\system32\dllcache\beep.sys
- Copies filec:\windows\system32\dllcache\figaro.sys to c:\windows\system32\drivers\beep.sys
- Moves c:\windows\system32\dllcache\figaro.sys to c:\windows\system32\drivers\beep.sys
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.