What is frmwrk32.exe


This is cloaked malware and malware downloader.

Also use the following names:

  • 64439744.EXE
  • 71698828.DAT
  • VRTA.TMP
  • TOP[n].TXT
  • 6.TMP
  • 8.TMP
  • 93511318.DAT
  • 92837428.BAD
  • 11244301.EXE
  • LOADER[n].EXE
  • WJQS.EXE
  • A.EXE
  • SVCHOST.EXE
  • FRMWRK32/A.EXE
  • FRMWRK32/A0051148.EXE
  • FRMWRK32/U-STORE[n].GIF
  • FRMWRK32/FRMWRK32.EXE
  • RDL4.TMP
  • 45049727.EXE
  • 22690229.EXE
  • 303350.EXE
  • 06696265.EXE
  • 78935166.EXE
  • LOADER.EXE
File activity:
  • Deletes c:\windows\system32\frmwrk32.exe
  • Copies filec:\windows\system32\frmwrk32.exe to c:\windows\system32\frmwrk32.exe
  • Creates c:\windows\system32\ntdll64.exe
  • Creates c:\windows\system32\win32hlp.cnf
  • Creates c:\windows\system32\warning.gif
  • Creates c:\windows\system32\ahtn.htm
  • Creates c:\docume~1\user\locals~1\temp\cscript.exe
  • Creates c:\windows\cscript.exe
  • Deletes c:\docume~1\user\locals~1\temp\ntdll64.dll
  • Creates c:\docume~1\user\locals~1\temp\ntdll64.dll
  • Deletes c:\docume~1\user\locals~1\temp\mousehook.dll
  • Creates c:\docume~1\user\locals~1\temp\mousehook.dll
  • Moves c:\windows\system32\userinit.exe to c:\windows\system32\init32.exe
  • Copies filec:\windows\system32\ntdll64.exe to c:\windows\system32\userinit.exe
  • Copies filec:\windows\system32\ntdll64.exe to c:\windows\system32\dllcache\userinit.exe
  • Deletes c:\windows\system32\ntdll64.ex
Registry Activity:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr value:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoSetActiveDesktop value:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop NoChangingWallpaper value:
  • HKEY_

Stumble
Delicious
Technorati
Twitter
Facebook

0 Comments:

Post a Comment

Related Posts with Thumbnails
 

Wallpapers And News Blog Copyright © 2010 Designed by Imran Yousaf, Sulman Yousaf