File Investigation Report
2FIJI.COM
Cloaked MalwareYour PC is infected. The file called 2FIJI.COM is considered unsafe and there may be other infections on your PC.
You should urgently check your PC and remove any malicious software including 2FIJI.COM as soon as possible. The free version of Prevx will scan your PC for millions of spyware and malware infections in less than 2 minutes. Don't put your confidential data, or your identity at risk, check your PC now with Prevx.
Associated Malware Groups
The filename is associated with the malware group:
- Cloaked Malware
File Behavior
2FIJI.COM has been seen to perform the following behavior:
- Executes a Process
- Registers a Dynamic Link Library File
- Injects code into other processes
- This Process is a file infector which modifies program files to include a copy of the infection
- This process creates other processes on disk
- This Process Deletes Other Processes From Disk
- This Process looks to see what security products and services are running on the system
- Creates a new Background Service on the machine
- Disables safe mode on your PC
- Drops known malicious software during execution
- Includes file creation code which could be used to test for interception by security products
- The Process is packed and/or encrypted using a software packing process
- Found on infected systems and resists interrogation by security products
2FIJI.COM has been the subject of the following behavior:
- Copied to multiple locations on the system
- Deleted as a process from disk
- Executed as a Process
- Created as a new Background Service on the machine
Country Of Origin
The filename 2FIJI.COM was first seen on Oct 18 2008 in the following geographical regions of the Prevx community:
- Europe on Oct 18 2008
- Spain on Oct 18 2008
- Turkey on Feb 26 2010
- The United Kingdom on Feb 26 2010
Filesizes
The following file size has been seen:
- 166,400 bytes
- 176,128 bytes
- 212,992 bytes
- 104,758 bytes
- 104,366 bytes
Vendor, Product and Version Information
Files with the name 2FIJI.COM have been seen to have the following Vendor, Product and Version Information in the file header:
- RealNetworks, Inc.; Uninstaller Shell executable; 7.0.1.68
File Type
The filename 2FIJI.COM refers to many versions of an executable program.
File Activity
One or more files with the name 2FIJI.COM creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\drivers\klif.sys
- Deletes c:\windows\system32\drivers\klif.sys
- Deletes c:\docume~1\jim\locals~1\temp\mirc634.exe
- Deletes c:\docume~1\jim\locals~1\temp\mirc635.exe
- Deletes c:\windows\system32\ckvo.exe
- Copies filec:\8160529.exe to c:\windows\system32\ckvo.exe
- Deletes c:\windows\system32\ckvo0.dll
- Creates c:\windows\system32\ckvo0.dll
- Creates c:\1f6af
- Deletes c:\1f6af
- Creates d:\1fc2d
- Creates b:\22408
- Creates c:\22afe
- Deletes c:\22afe
- Creates d:\23195
- Creates e:\23dab
- Creates f:\24423
- Creates g:\248b7
- Deletes c:\windows\system32\drivers\gnliln.sy
- Creates c:\windows\system32\drivers\gnliln.sys
- Creates h:\24d4b
- Creates j:\25152
- Creates k:\25559
- Creates k:\25970
- Creates l:\25d87
- Creates n:\2619e
- Creates n:\265a5
- Creates p:\269ad
- Deletes c:\2fiji.co
- Copies filec:\windows\system32\ckvo.exe to c:\2fiji.co
- Deletes c:\autorun.in
- Creates c:\autorun.in
- Creates q:\26db4
- Creates q:\271bb
- Creates s:\2765f
- Creates t:\27a66
- Creates t:\27eac
- Creates v:\282b3
- Creates w:\286ba
- Creates w:\28ac1
- Creates y:\28ff1
- Deletes c:\docume~1\jim\locals~1\temp\help1.rar
- Creates y:\293f9
- Deletes c:\docume~1\jim\locals~1\temp\help.ex
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\jim\locals~1\temp\help1.rar
- Deletes c:\docume~1\jim\locals~1\temp\help.exe
- Creates c:\docume~1\jim\locals~1\temp\help.exe
- Deletes c:\windows\system32\olhrwef.exe
- Copies filec:\docume~1\jim\locals~1\temp\help.exe to c:\windows\system32\olhrwef.exe
Registry Activity
One or more files with the name 2FIJI.COM creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings GlobalUserOffline value:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\8160529.exe C:\8160529.exe:*:Enabled:ipsec
- HKEY_CURRENT_USER\Software\Jim914\530607972 7170378 [REG_DWORD, value: 00000019]
- HKEY_CURRENT_USER\Software\Jim914\530607972 14340756 value:
- HKEY_CURRENT_USER\Software\Jim914\530607972 21511134 value:
- HKEY_CURRENT_USER\Software\Jim914\530607972 28681512 [REG_DWORD, value: 00000028]
- HKEY_CURRENT_USER\Software\Jim914\530607972 35851890 [REG_DWORD, value: 000000AA]
- HKEY_CURRENT_USER\Software\Jim914\530607972 43022268
- HKEY_CURRENT_USER\Software\Jim914\530607972 50192646
- HKEY_CURRENT_USER\Software\Jim914 J1_0 [REG_DWORD, value: CC96283A]
- HKEY_CURRENT_USER\Software\Jim914 J2_0 [REG_DWORD, value: 0000158D]
- HKEY_CURRENT_USER\Software\Jim914 J3_0 [REG_DWORD, value: 01036641]
- HKEY_CURRENT_USER\Software\Jim914 J4_0 value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kamsoft C:\WINDOWS\system32\ckvo.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.ex
Network Activity
One or more files with the name 2FIJI.COM performs the following network events:
- DNS Lookup127.0.0.1 0
- DNS Lookup ghy67.com
- DNS Lookup221.1.204.243 ghy67.com
- DNS Lookup hjyuw2.com
- DNS Lookup221.1.204.243 hjyuw2.com
Website Activity
One or more files with the name 2FIJI.COM interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1064 Port:18
- Port 80 IP:221.1.204.243
- TCP:127.0.0.1:1069 Port:18