Threat Description

Backdoor:​W32/Agobot.FO

Details

Aliases: Backdoor.Win32.Agobot.fo
Category: Malware
Type: Backdoor
Platform: W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal



Security Patches

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot. Detailed information and patches are available from the following pages:

  • RPC/DCOM (MS03-026, fixed by MS03-039):http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
  • RPC/Locator (MS03-001): http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
  • WebDAV(MS03-007):http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

The necessary patches can be downloaded from the pages above under the "Patch availability" section.

Disinfection Utility

F-Secure Anti-Virus can detect and disable (rename or delete) Agobot backdoor files, however if a system is already infected, the special disinfection tool is required to get rid of infection. F-Secure provides the special disinfection utility for all known by March 2004 versions of Agobot backdoor. You can download the disinfection tool from our ftp site:

  • ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.zip
  • ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.exe

Disinfection instructions can be found here:

  • ftp://ftp.f-secure.com/anti-virus/tools/f-agobot.txt


Technical Details



Backdoor:W32/Agobot.FO is a variant from the Agobot backdoor family. This backdoor has functionality similar to previous-released variants, but is more powerful, being able to harvest e-mail addresses, launch Distributed Denial of Service (DDoS) attacks and more. Agobot.FO propagates over network shares.Agobot.FO's code has a 'Phatbot3' identifier and there are a few 'phat' text strings in its body. As the original Agobot author is known as TheAgo, its possible the identifier indicates that this variant is made by a different person or group.The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.Agobot.FO was found in March, 2004 and has become relatively widespread.

Installation

During installation, Agobot.FO copies itself as NVCHIP4.EXE file to the Windows System folder and creates startup keys for this file in System Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "nVidia Chip4" = "nvchip4.exe"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "nVidia Chip4" = "nvchip4.exe"

This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.

Propagation (Network Shares)

Agobot.FO can scan for computers connected to the infected machine over a local network and copy itself to other accessible machines. The scan must be initiated by a remote attacker.When spreading over the local network, Agobot.FO probes the following shares:

  • admin$
  • c$
  • d$
  • e$
  • print$
  • c

It tries to connect using the following account names:

  • Administrator
  • Administrateur
  • Coordinatore
  • Administrador
  • Verwalter
  • Ospite
  • kanri
  • kanri-sha
  • admin
  • administrator
  • Default
  • Convidado
  • mgmt
  • Standard
  • User
  • Administrator
  • administrador
  • Owner
  • user
  • server
  • Test
  • Guest
  • Gast
  • Inviter
  • a
  • aaa
  • abc
  • x
  • xyz
  • Dell
  • home
  • pc
  • test
  • temp
  • win
  • asdf
  • qwer
  • OEM
  • root
  • wwwadmin
  • login
  • owner
  • mary
  • admins
  • computer
  • xp
  • OWNER
  • mysql
  • database
  • teacher
  • student

When connecting, Agobot.FO uses the following passwords:

  • 103015
  • admin
  • Admin
  • password
  • Password
  • 1
  • 12
  • 123
  • 1234
  • !@#$
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • WindowsXP
  • windows2k
  • windowsME
  • windows98
  • windoze
  • hax
  • dude
  • owned
  • lol
  • ADMINISTRATOR
  • rooted
  • noob
  • TEMP
  • share
  • r00t
  • ROOT
  • TEST
  • SYSTEM
  • LOCAL
  • SERVER
  • ACCESS
  • BACKUP
  • computer
  • fucked
  • gay
  • idiot
  • Internet
  • test
  • 2003
  • 2004
  • backdoor
  • whore
  • wh0re
  • CNN
  • pwned
  • own
  • crash
  • passwd
  • PASSWD
  • devil
  • linux
  • UNIX
  • feds
  • fish
  • changeme
  • ASP
  • PHP
  • 666
  • BOX
  • Box
  • box
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • 00000000
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • oracle
  • sybase
  • 123qwe
  • server
  • computer
  • Internet
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • xp
  • 2002
  • 2003
  • 2600
  • 0
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • alpha
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • a
  • aaa
  • abc
  • test
  • temp
  • win
  • pc
  • asdf
  • secret
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • Coordinatore
  • Administrador
  • Verwalter
  • Ospite
  • administrator
  • Default
  • administrador
  • admins
  • teacher
  • student
  • superman
  • supersecret
  • kids
  • penis
  • wwwadmin
  • database
  • changeme
  • test123
  • user
  • private
  • 69
  • root
  • 654321
  • xxyyzz
  • asdfghjkl
  • mybaby
  • vagina
  • pussy
  • leet
  • metal
  • work
  • school
  • mybox
  • box
  • werty
  • baby
  • porn
  • homework
  • secrets
  • x
  • z
  • qwertyuiop
  • secret
  • Administrateur
  • abc123
  • password123
  • red123
  • qwerty
  • admin123
  • zxcvbnm
  • poiuytrewq
  • pwd
  • pass
  • love
  • mypc
  • mypass
  • pw

If the worm succeeds in connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

Activity - IRC Bot

The backdoor is controlled via an IRC bot that is created on a certain IRC server in a specific channel when the the backdoor's file is active. The following oprerations can be performed via tbe bot:

  • display bot info
  • terminate bot
  • resolve host/ip by DNS
  • start an executable file
  • display current bot ID
  • change a nickname of a bot
  • open any file
  • remove bot
  • remove bot if it doesn't match certain criteria
  • generate random name for a bot
  • get bot status
  • display system info
  • check bot's uptime
  • quit the bot
  • flush bot's DNS cache
  • delete shares and disable DCOM
  • re-create shares and enable DCOM
  • run a command on a system
  • repeat the last action
  • enable or disable shell handler
  • list all available commands
  • redirect HTTPS traffic
  • redirect HTTP traffic
  • redirect traffic on certian sockets
  • load a plugin (unloading is not supported yet)
  • change IRC server that the bot connects to
  • reconned to IRC server
  • send a raw message to IRC server
  • send a private message
  • part a channel
  • print network info
  • change channel mode
  • gets host info
  • join a specified channel
  • checks if working from .edu domain
  • disconnect from IRC
  • enable sniffers (http, ftp, irc, bot)
  • spam AOL channel
  • enable IdentD server
  • save/load configuration settings to a file
  • accesses certain variables in configuration file
  • enable/disable starting as a service
  • adds/deletes autostart key in the Registry
  • execute command if certain conditions are met
  • download and execute a file from an ftp server
  • update the bot from an ftp server
  • download a file from ftp server
  • update the bot from http server
  • download a file from http server
  • visit a specified URL
  • log off current user
  • shutdown a computer
  • reboot a computer
  • kill specified process
  • list all processes

Scanning for Vulnerabilities & Infections

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. he backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

Distributed Denial of Service attack

The backdoor can perform the following types of DDoS attacks:

  • HTTP flood
  • SYN flood
  • UDP flood
  • ICMP flood

When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot. The backdoor sends 256000 bytes of random data to the following websites and checks the response times:

  • www.schlund.net
  • www.utwente.nl
  • www.xo.net
  • www.stanford.edu
  • www.lib.nthu.edu.tw
  • www.st.lib.keio.ac.jp

E-mail Address Collection

The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

System Registry Information Collection

The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

Terminating Processes

Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:

  • _AVPM.EXE
  • _AVPCC.EXE
  • _AVP32.EXE
  • ZONEALARM.EXE
  • ZONALM2601.EXE
  • ZATUTOR.EXE
  • ZAPSETUP3001.EXE
  • ZAPRO.EXE
  • XPF202EN.EXE
  • WYVERNWORKSFIREWALL.EXE
  • WUPDT.EXE
  • WUPDATER.EXE
  • WSBGATE.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • WNT.EXE
  • WNAD.EXE
  • WKUFIND.EXE
  • WINUPDATE.EXE
  • WINTSK32.EXE
  • WINSTART001.EXE
  • WINSTART.EXE
  • WINSSK32.EXE
  • WINSERVN.EXE
  • WINRECON.EXE
  • WINPPR32.EXE
  • WINNET.EXE
  • WINMAIN.EXE
  • WINLOGIN.EXE
  • WININITX.EXE
  • WININIT.EXE
  • WININETD.EXE
  • WINDOWS.EXE
  • WINDOW.EXE
  • WINACTIVE.EXE
  • WIN32US.EXE
  • WIN32.EXE
  • WIN-BUGSFIX.EXE
  • WIMMUN32.EXE
  • WHOSWATCHINGME.EXE
  • WGFE95.EXE
  • WFINDV32.EXE
  • WEBTRAP.EXE
  • WEBSCANX.EXE
  • WEBDAV.EXE
  • WATCHDOG.EXE
  • W9X.EXE
  • W32DSM89.EXE
  • VSWINPERSE.EXE
  • VSWINNTSE.EXE
  • VSWIN9XE.EXE
  • VSSTAT.EXE
  • VSMON.EXE
  • VSMAIN.EXE
  • VSISETUP.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • VSCHED.EXE
  • VSCENU6.02D30.EXE
  • VSCAN40.EXE
  • VPTRAY.EXE
  • VPFW30S.EXE
  • VPC42.EXE
  • VPC32.EXE
  • VNPC3000.EXE
  • VNLAN300.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VIR-HELP.EXE
  • VFSETUP.EXE
  • VETTRAY.EXE
  • VET95.EXE
  • VET32.EXE
  • VCSETUP.EXE
  • VBWINNTW.EXE
  • VBWIN9X.EXE
  • VBUST.EXE
  • VBCONS.EXE
  • VBCMSERV.EXE
  • UTPOST.EXE
  • UPGRAD.EXE
  • UPDAT.EXE
  • UNDOBOOT.EXE
  • TVTMD.EXE
  • TVMD.EXE
  • TSADBOT.EXE
  • TROJANTRAP3.EXE
  • TRJSETUP.EXE
  • TRJSCAN.EXE
  • TRICKLER.EXE
  • TRACERT.EXE
  • TITANINXP.EXE
  • TITANIN.EXE
  • TGBOB.EXE
  • TFAK5.EXE
  • TFAK.EXE
  • TEEKIDS.EXE
  • TDS2-NT.EXE
  • TDS2-98.EXE
  • TDS-3.EXE
  • TCM.EXE
  • TCA.EXE
  • TC.EXE
  • TBSCAN.EXE
  • TAUMON.EXE
  • TASKMON.EXE
  • TASKMO.EXE
  • TASKMG.EXE
  • SYSUPD.EXE
  • SYSTEM32.EXE
  • SYSTEM.EXE
  • SYSEDIT.EXE
  • SYMTRAY.EXE
  • SYMPROXYSVC.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SWEEP95.EXE
  • SVSHOST.EXE
  • SVCHOSTS.EXE
  • SVCHOSTC.EXE
  • SVC.EXE
  • SUPPORTER5.EXE
  • SUPPORT.EXE
  • SUPFTRL.EXE
  • STCLOADER.EXE
  • START.EXE
  • ST2.EXE
  • SSG_4104.EXE
  • SSGRATE.EXE
  • SS3EDIT.EXE
  • SRNG.EXE
  • SREXE.EXE
  • SPYXX.EXE
  • SPOOLSV32.EXE
  • SPOOLCV.EXE
  • SPOLER.EXE
  • SPHINX.EXE
  • SPF.EXE
  • SPERM.EXE
  • SOFI.EXE
  • UPDATE.EXE
  • SOAP.EXE
  • SMSS32.EXE
  • SMS.EXE
  • SMC.EXE
  • SHOWBEHIND.EXE
  • SHN.EXE
  • SHELLSPYINSTALL.EXE
  • SH.EXE
  • SGSSFW32.EXE
  • SFC.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SERVLCES.EXE
  • SERVLCE.EXE
  • SERVICE.EXE
  • SERV95.EXE
  • SD.EXE
  • SCVHOST.EXE
  • SCRSVR.EXE
  • SCRSCAN.EXE
  • SCANPM.EXE
  • SCAN95.EXE
  • SCAN32.EXE
  • SCAM32.EXE
  • SC.EXE
  • SBSERV.EXE
  • SAVENOW.EXE
  • SAVE.EXE
  • SAHAGENT.EXE
  • SAFEWEB.EXE
  • RUXDLL32.EXE
  • RUNDLL16.EXE
  • RUNDLL.EXE
  • RUN32DLL.EXE
  • RULAUNCH.EXE
  • RTVSCN95.EXE
  • RTVSCAN.EXE
  • RSHELL.EXE
  • RRGUARD.EXE
  • RESCUE32.EXE
  • RESCUE.EXE
  • REGEDT32.EXE
  • REGEDIT.EXE
  • REGED.EXE
  • REALMON.EXE
  • RCSYNC.EXE
  • RB32.EXE
  • RAY.EXE
  • RAV8WIN32ENG.EXE
  • RAV7WIN.EXE
  • RAV7.EXE
  • RAPAPP.EXE
  • QSERVER.EXE
  • QCONSOLE.EXE
  • PVIEW95.EXE
  • PUSSY.EXE
  • PURGE.EXE
  • PSPF.EXE
  • PROTECTX.EXE
  • PROPORT.EXE
  • PROGRAMAUDITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROCESSMONITOR.EXE
  • PROCDUMP.EXE
  • PRMVR.EXE
  • PRMT.EXE
  • PRIZESURFER.EXE
  • PPVSTOP.EXE
  • PPTBC.EXE
  • PPINUPDT.EXE
  • POWERSCAN.EXE
  • PORTMONITOR.EXE
  • PORTDETECTIVE.EXE
  • POPSCAN.EXE
  • POPROXY.EXE
  • POP3TRAP.EXE
  • PLATIN.EXE
  • PINGSCAN.EXE
  • PGMONITR.EXE
  • PFWADMIN.EXE
  • PF2.EXE
  • PERSWF.EXE
  • PERSFW.EXE
  • PERISCOPE.EXE
  • PENIS.EXE
  • PDSETUP.EXE
  • PCSCAN.EXE
  • PCIP10117_0.EXE
  • PCFWALLICON.EXE
  • PCDSETUP.EXE
  • PCCWIN98.EXE
  • PCCWIN97.EXE
  • PCCNTMON.EXE
  • PCCIOMON.EXE
  • PCC2K_76_1436.EXE
  • PCC2002S902.EXE
  • PAVW.EXE
  • PAVSCHED.EXE
  • PAVPROXY.EXE
  • PAVCL.EXE
  • PATCH.EXE
  • PANIXK.EXE
  • PADMIN.EXE
  • OUTPOSTPROINSTALL.EXE
  • OUTPOSTINSTALL.EXE
  • OTFIX.EXE
  • OSTRONET.EXE
  • OPTIMIZE.EXE
  • ONSRVR.EXE
  • OLLYDBG.EXE
  • NWTOOL16.EXE
  • NWSERVICE.EXE
  • NWINST4.EXE
  • NVSVC32.EXE
  • NVC95.EXE
  • NVARCH16.EXE
  • NUI.EXE
  • NTXconfig.EXE
  • NTVDM.EXE
  • NTRTSCAN.EXE
  • NT.EXE
  • NSUPDATE.EXE
  • NSTASK32.EXE
  • NSSYS32.EXE
  • NSCHED32.EXE
  • NPSSVC.EXE
  • NPSCHECK.EXE
  • NPROTECT.EXE
  • NPFMESSENGER.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NOTSTART.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NORMIST.EXE
  • NOD32.EXE
  • NMAIN.EXE
  • NISUM.EXE
  • NISSERV.EXE
  • NETUTILS.EXE
  • NETSTAT.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSCANPRO.EXE
  • NETMON.EXE
  • NETINFO.EXE
  • NETD32.EXE
  • NETARMOR.EXE
  • NEOWATCHLOG.EXE
  • NEOMONITOR.EXE
  • NDD32.EXE
  • NCINST4.EXE
  • NC2000.EXE
  • NAVWNT.EXE
  • NAVW32.EXE
  • NAVSTUB.EXE
  • NAVNT.EXE
  • NAVLU32.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • OUTPOST.EXE
  • NUPGRADE.EXE
  • NAVDX.EXE
  • NAVAPW32.EXE
  • NAVAPSVC.EXE
  • NAVAP.NAVAPSVC.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • NAV.EXE
  • N32SCANW.EXE
  • MWATCH.EXE
  • MU0311AD.EXE
  • MSVXD.EXE
  • MSSYS.EXE
  • MSSMMC32.EXE
  • MSMSGRI32.EXE
  • MSMGT.EXE
  • MSLAUGH.EXE
  • MSINFO32.EXE
  • MSIEXEC16.EXE
  • MSDOS.EXE
  • MSDM.EXE
  • MSCONFIG.EXE
  • MSCMAN.EXE
  • MSCCN32.EXE
  • MSCACHE.EXE
  • MSBLAST.EXE
  • MSBB.EXE
  • MSAPP.EXE
  • MRFLUX.EXE
  • MPFTRAY.EXE
  • MPFSERVICE.EXE
  • MPFAGENT.EXE
  • MOSTAT.EXE
  • MOOLIVE.EXE
  • MONITOR.EXE
  • MMOD.EXE
  • MINILOG.EXE
  • MGUI.EXE
  • MGHTML.EXE
  • MGAVRTE.EXE
  • MGAVRTCL.EXE
  • MFWENG3.02D30.EXE
  • MFW2EN.EXE
  • MFIN32.EXE
  • MD.EXE
  • MCVSSHLD.EXE
  • MCVSRTE.EXE
  • MCTOOL.EXE
  • MCSHIELD.EXE
  • MCMNHDLR.EXE
  • MCAGENT.EXE
  • MAPISVC32.EXE
  • LUSPT.EXE
  • LUINIT.EXE
  • LUCOMSERVER.EXE
  • LUAU.EXE
  • LSETUP.EXE
  • LORDPE.EXE
  • LOOKOUT.EXE
  • LOCKDOWN2000.EXE
  • LOCKDOWN.EXE
  • LOCALNET.EXE
  • LOADER.EXE
  • LNETINFO.EXE
  • LDSCAN.EXE
  • LDPROMENU.EXE
  • LDPRO.EXE
  • LDNETMON.EXE
  • LAUNCHER.EXE
  • KILLPROCESSSETUP161.EXE
  • KERNEL32.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KEENVALUE.EXE
  • KAZZA.EXE
  • KAVPF.EXE
  • MCUPDATE.EXE
  • LUALL.EXE
  • KAVPERS40ENG.EXE
  • KAVLITE40ENG.EXE
  • JEDI.EXE
  • JDBGMRG.EXE
  • JAMMER.EXE
  • ISTSVC.EXE
  • ISRV95.EXE
  • ISASS.EXE
  • IRIS.EXE
  • IPARMOR.EXE
  • IOMON98.EXE
  • INTREN.EXE
  • INTDEL.EXE
  • INIT.EXE
  • INFWIN.EXE
  • INFUS.EXE
  • INETLNFO.EXE
  • IFW2000.EXE
  • IFACE.EXE
  • IEXPLORER.EXE
  • IEDRIVER.EXE
  • IEDLL.EXE
  • IDLE.EXE
  • ICSUPPNT.EXE
  • ICMON.EXE
  • ICLOADNT.EXE
  • ICLOAD95.EXE
  • IBMAVSP.EXE
  • IBMASN.EXE
  • IAMSTATS.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • HXIUL.EXE
  • HXDL.EXE
  • HWPE.EXE
  • HTPATCH.EXE
  • HTLOG.EXE
  • HOTPATCH.EXE
  • HOTACTIO.EXE
  • HBSRV.EXE
  • HBINST.EXE
  • HACKTRACERSETUP.EXE
  • GUARDDOG.EXE
  • GUARD.EXE
  • GMT.EXE
  • GENERICS.EXE
  • GBPOLL.EXE
  • GBMENU.EXE
  • GATOR.EXE
  • FSMB32.EXE
  • FSMA32.EXE
  • FSM32.EXE
  • FSGK32.EXE
  • FSAV95.EXE
  • FSAV530WTBYB.EXE
  • FSAV530STBYB.EXE
  • FSAV32.EXE
  • FSAV.EXE
  • FSAA.EXE
  • FRW.EXE
  • FPROT.EXE
  • FP-WIN_TRIAL.EXE
  • FP-WIN.EXE
  • FNRB32.EXE
  • FLOWPROTECTOR.EXE
  • FIREWALL.EXE
  • FINDVIRU.EXE
  • FIH32.EXE
  • FCH32.EXE
  • FAST.EXE
  • FAMEH32.EXE
  • F-STOPW.EXE
  • F-PROT95.EXE
  • F-PROT.EXE
  • F-AGNT95.EXE
  • EXPLORE.EXE
  • EXPERT.EXE
  • EXE.AVXW.EXE
  • ICSUPP95.EXE
  • EXANTIVIRUS-CNET.EXE
  • EVPN.EXE
  • ETRUSTCIPE.EXE
  • ETHEREAL.EXE
  • ESPWATCH.EXE
  • ESCANV95.EXE
  • ESCANHNT.EXE
  • ESCANH95.EXE
  • ESAFE.EXE
  • ENT.EXE
  • EMSW.EXE
  • EFPEADM.EXE
  • ECENGINE.EXE
  • DVP95_0.EXE
  • DVP95.EXE
  • DSSAGENT.EXE
  • DRWEBUPW.EXE
  • DRWEB32.EXE
  • DRWATSON.EXE
  • DPPS2.EXE
  • DPFSETUP.EXE
  • DPF.EXE
  • DOORS.EXE
  • DLLREG.EXE
  • DLLCACHE.EXE
  • DIVX.EXE
  • DEPUTY.EXE
  • DEFWATCH.EXE
  • DEFSCANGUI.EXE
  • DEFALERT.EXE
  • DCOMX.EXE
  • DATEMANAGER.EXE
  • Claw95.EXE
  • CWNTDWMO.EXE
  • CWNB181.EXE





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More