Associated Malware Groups
The filename is associated with the malware groups:
- Malicious Software
- Cloaked Malware
- Malware Dropper
- Fraudulent Security Program
- System Back Door
File Behavior
WJQS.EXE has been seen to perform the following behavior:
- Adds a Registry Key (RUN) to auto start Programs on system start up
- This Process Deletes Other Processes From Disk
- Executes a Process
- Creates a TCP port which listens and is available for communication initiated by other computers
- This process creates other processes on disk
- Writes to another Process's Virtual Memory (Process Hijacking)
- This Process looks to see what security products and services are running on the system
- Creates new folders in the file system
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- Registers a Dynamic Link Library File
- The Process is packed and/or encrypted using a software packing process
- Downloads hidden code from covert web sites
- Injects code into other processes
- This Process is a file infector which modifies program files to include a copy of the infection
- Drops known malicious software during execution
- Includes file creation code which could be used to test for interception by security products
- Creates, modifies or schedules batch jobs
- Found on infected systems and resists interrogation by security products
- Adds products to the system registry
- Can communicate with other computer systems using HTTP protocols
- Executes Processes stored in Temporary Folders
- Terminates Processes
- Violates Prevx File Security Settings
- Disables the built in Windows File Protection System
- Modifies the User Shell objects used to run code from other processes
WJQS.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Executed from Temporary Folders
- Created as a process on disk
- Has code inserted into its Virtual Memory space by other programs
- Executed as a Process
- Deleted as a process from disk
- Terminated as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Executed by Internet Explorer
- Created as a new Background Service on the machine
Country Of Origin
The filename WJQS.EXE was first seen on Aug 6 2008 in the following geographical regions of the Prevx community:
- The UNITED KINGDOM on Aug 6 2008
- The UNITED STATES on Aug 7 2008
- SPAIN on Aug 7 2008
File Name Aliases
WJQS.EXE can also use the following file names:
- 40801749.DAT
- 30650992.EXE
- SERVISES.EXE
- UPDATE.EXE
- LOAD[n].EXE
- LOAD_004.EXE
- SVCHOST.EXE
- ._FILE[n].EXE
- WIN32UPD.EXE
- A.EXE
- FLOW[n].HTM
- 66161027.EXE
- _A00F260B42.EXE
- _A00FC74E7.EXE
- POOL[n].HTM
- ~.EXE
- 7HW[n].EXE
- 3RM[n].EXE
- VL[n].EXE
- E0Z[n].EXE
- HZ[n].EXE
- N7T[n].EXE
- MYE[n].EXE
- HT[n].EXE
- IEXPLORE.EXE
- ZB[n].EXE
- MCH[n].EXE
- FWQ[n].EXE
- LDT[n].EXE
- XNQ[n].EXE
- PFK[n].EXE
- WG[n].EXE
- FSI[n].EXE
- BTU[n].EXE
- KI[n].EXE
- SL[n].EXE
- DC[n].EXE
- U4K[n].EXE
- D5[n].EXE
- JL5[n].EXE
- OT[n].EXE
- GZB[n].EXE
- NA[n].EXE
- IT[n].EXE
- LX[n].EXE
- G0R[n].EXE
- IK[n].EXE
- KC[n].EXE
- ID10_20090505.EXE
- UPDATE[n].EXE
- 97168519.SVD
- 48952004.EXE
- GAME.EXE
- 99454317.EXE
- CLS.EXE
- MARIOFOREVER.EXE
Filesizes
The following file size has been seen:
- 28,160 bytes
- 34,304 bytes
- 24,554 bytes
- 16,128 bytes
- 39,424 bytes
- 16,896 bytes
- 188,416 bytes
- 163,840 bytes
- 25,088 bytes
File Type
The filename WJQS.EXE refers to many versions of an executable program.
File Activity
One or more files with the name WJQS.EXE creates, deletes, copies or moves the following files and folders:
- create folder C:\WINDOWS\system32\drivers
- Opens/modifes c:\autoexec.bat
Network Activity
One or more files with the name WJQS.EXE performs the following network events:
- DNS name server92.168.0.1
Website Activity
One or more files with the name WJQS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- Remote server connection to fgorknazgaz .co
- TCP:192.168.0.1:53 Port:18
- TCP:192.168.0.1:53 Port:20
- TCP:192.168.0.1:53 Port:20
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.