Disagree with this determination?
E-CARD[n].EXE
WormYour PC is infected. The file called E-CARD[n].EXE is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including E-CARD[n].EXE as soon as possible. The free version of Prevx 3.0 will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx 3.0.
Associated Malware Groups
The filename is associated with the malware group:
- Worm
File Behavior
E-CARD[n].EXE has been seen to perform the following behavior:
- Executes Processes stored in Temporary Folders
- This process creates other processes on disk
- Executes a Process
- Registers a Dynamic Link Library File
- The Process is packed and/or encrypted using a software packing process
E-CARD[n].EXE has been the subject of the following behavior:
- Executed as a Process
- Created as a process on disk
- Executed by Internet Explorer
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
Country Of Origin
The filename E-CARD[n].EXE was first seen on Aug 18 2008 in the following geographical regions of the Prevx community:
- SPAIN on Aug 18 2008
- The UNITED STATES on Aug 18 2008
File Name Aliases
E-CARD[n].EXE can also use the following file names:
- 27905088.EXE
- RYNJD5PW.EXE
- E-CARD.EXE
- E-CARD[1].EXE
- 65456524.EXE
- 35733825.EXE
- DD2.EXE
- 91669128.EXE
- 88964782.EXE
- 93505935.TXT
- OABTZ7RM.EXE
- EMILIMPORT.COM/E-CARD.EXE
- 37323455.EXE
- H5JADWV8.EXE
- DD3.EXE
- DD4.EXE
- 17254511.DAT
- 91560044.EXE
- 72991732.EXE
- 13206227.EXE
Filesizes
This file has been seen with the following file size:
- 468,480 bytes
Vendor, Product and Version Information
This file has no vendor, product or version information specified in the file header.
File Type
The filename E-CARD[n].EXE refers to an executable program.
File Activity
One or more files with the name E-CARD[n].EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\docume~1\user\locals~1\temp\ziqKJ4ZjGL.exe
- Creates c:\docume~1\user\locals~1\temp\scan.exe
- Creates c:\docume~1\user\locals~1\temp\finder.exe
- Creates c:\docume~1\user\locals~1\temp\inst1_294.exe
- Creates c:\docume~1\user\locals~1\temp\svchost.exe
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\ActSh.dll
- Creates c:\documents and settings\all users\application data\adkvqjeh\edirqneb.exe
- Moves c:\docume~1\user\locals~1\temp\ZIQKJ4~1.EXE to c:\docume~1\user\locals~1\temp\ZIQKJ4~1.EXE
- Creates c:\windows\system32\phc9q8j0eace.bmp
- Moves c:\docume~1\user\locals~1\temp\scan.exe to c:\windows\system32\lphc9q8j0eace.exe
- Deletes c:\windows\system32\lphc9q8j0eace.exe
- Creates c:\documents and settings\user\local settings\temp\.ttB
- Creates c:\windows\system32\blphc9q8j0eace.scr
- Deletes c:\documents and settings\user\local settings\temp\.tt1
- create folder C:\Program Files\Microsoft Common
- Copies filec:\docume~1\user\locals~1\temp\finder.exe to c:\program files\microsoft common\svchost.exe
- Deletes c:\docume~1\user\locals~1\temp\rdl13.tm
- Creates c:\docume~1\user\locals~1\temp\rdl13.tmp
- Deletes c:\docume~1\user\locals~1\temp\rdl16.tm
- Copies filec:\windows\system32\drivers\aec.sys to c:\docume~1\user\locals~1\temp\rdl16.tmp
- Copies filec:\docume~1\user\locals~1\temp\rdl13.tmp to c:\windows\system32\drivers\aec.sys
- Copies filec:\docume~1\user\locals~1\temp\rdl16.tmp to c:\windows\system32\drivers\aec.sys
- Creates c:\windows\system32\drivers\TPRVRNPT.sys
- Creates c:\docume~1\user\locals~1\temp\gbu.bat
- create folder C:\Program Files\yxzjkdf\
- Creates c:\program files\yxzjkdf\ActSh.dll
- Deletes c:\docume~1\user\locals~1\temp\ZIQKJ4~1.BAK
- Deletes c:\docume~1\user\locals~1\temp\INST1_~1.EX
Registry Activity
One or more files with the name E-CARD[n].EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Uninstall C6QTVPuAi3 [REG_DWORD, value: 48A9BDE4]
- HKEY_CURRENT_USER\Software\wkey a OK
- HKEY_CURRENT_USER\Control Panel\Colors Background 0 0 255
- HKEY_CURRENT_USER\Control Panel\Desktop WallpaperStyle 0
- HKEY_CURRENT_USER\Control Panel\Desktop TileWallpaper 0
- HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Control Panel\Desktop OriginalWallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Control Panel\Desktop ConvertedWallpaper C:\WINDOWS\system32\phc9q8j0eace.bmp
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispBackgroundPage value:
- HKEY_CURRENT_USER\Control Panel\Desktop SCRNSAVE.EXE C:\WINDOWS\system32\blphc9q8j0eace.scr
- HKEY_CURRENT_USER\Control Panel\Desktop ScreenSaveActive 1
- HKEY_CURRENT_USER\Control Panel\Desktop ScreenSaveTimeOut 600
- HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver EulaAccepted value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System NoDispScrSavPage value:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ActSh {0861ACF7-7E0B-67C7-93FD-0AD00BB3A4F6}
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}\Count HRZR_PGYFRFFVBA [REG_BINARY, size: 8 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\shannon5554945@live.co.uk usertileurl http://blufiles.storage.msn.com/static/12
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\shannon5554945@live.co.uk idtiletimestamp 2008-07-07T13:06:12.000000-00:00
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
Website Activity
One or more files with the name E-CARD[n].EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1092 Port:14
- Port 80 IP:63.219.178.162
- Port 80 IP:207.46.225.221
- Port 80 IP:89.149.220.158