Threat Descriptions

Backdoor:W32/Agobot.FO

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

Backdoor.Win32.Agobot.fo

Summary

A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.

Removal

Security Updates

The most important step of disinfection is the installation of security patches for the vulnerabilities exploited by Agobot.

Detailed information and patches are available from the following pages:

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Backdoor:W32/Agobot.FO is a variant from the Agobot backdoor family.

This backdoor has functionality similar to previous-released variants, but is more powerful, being able to harvest email addresses, launch Distributed Denial of Service (DDoS) attacks and more. Agobot.FO propagates over network shares.

Agobot.FO's code has a 'Phatbot3' identifier and there are a few 'phat' text strings in its body. As the original Agobot author is known as TheAgo, its possible the identifier indicates that this variant is made by a different person or group.

The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.

Agobot.FO was found in March, 2004 and has become relatively widespread.

Installation

During installation, Agobot.FO copies itself as NVCHIP4.EXE file to the Windows System folder and creates startup keys for this file in System Registry:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "nVidia Chip4" = "nvchip4.exe"
  • [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] "nVidia Chip4" = "nvchip4.exe"

This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.

Propagation (Network Shares)

Agobot.FO can scan for computers connected to the infected machine over a local network and copy itself to other accessible machines. The scan must be initiated by a remote attacker.

When spreading over the local network, Agobot.FO probes the following shares:

  • admin$
  • c$
  • d$
  • e$
  • print$
  • c

It tries to connect using the following account names:

  • Administrator
  • Administrateur
  • Coordinatore
  • Administrador
  • Verwalter
  • Ospite
  • kanri
  • kanri-sha
  • admin
  • administrator
  • Default
  • Convidado
  • mgmt
  • Standard
  • User
  • Administrator
  • administrador
  • Owner
  • user
  • server
  • Test
  • Guest
  • Gast
  • Inviter
  • a
  • aaa
  • abc
  • x
  • xyz
  • Dell
  • home
  • pc
  • test
  • temp
  • win
  • asdf
  • qwer
  • OEM
  • root
  • wwwadmin
  • login
  • owner
  • mary
  • admins
  • computer
  • xp
  • OWNER
  • mysql
  • database
  • teacher
  • student

When connecting, Agobot.FO uses the following passwords:

  • 103015
  • admin
  • Admin
  • password
  • Password
  • 1
  • 12
  • 123
  • 1234
  • !@#$
  • asdfgh
  • !@#$%
  • !@#$%^
  • !@#$%^&
  • !@#$%^&*
  • WindowsXP
  • windows2k
  • windowsME
  • windows98
  • windoze
  • hax
  • dude
  • owned
  • lol
  • ADMINISTRATOR
  • rooted
  • noob
  • TEMP
  • share
  • r00t
  • ROOT
  • TEST
  • SYSTEM
  • LOCAL
  • SERVER
  • ACCESS
  • BACKUP
  • computer
  • fucked
  • gay
  • idiot
  • Internet
  • test
  • 2003
  • 2004
  • backdoor
  • whore
  • wh0re
  • CNN
  • pwned
  • own
  • crash
  • passwd
  • PASSWD
  • devil
  • linux
  • UNIX
  • feds
  • fish
  • changeme
  • ASP
  • PHP
  • 666
  • BOX
  • Box
  • box
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 654321
  • 54321
  • 111
  • 000000
  • 00000000
  • 11111111
  • 88888888
  • pass
  • passwd
  • database
  • abcd
  • oracle
  • sybase
  • 123qwe
  • server
  • computer
  • Internet
  • super
  • 123asd
  • ihavenopass
  • godblessyou
  • enable
  • xp
  • 2002
  • 2003
  • 2600
  • 0
  • 110
  • 111111
  • 121212
  • 123123
  • 1234qwer
  • 123abc
  • 007
  • alpha
  • patrick
  • pat
  • administrator
  • root
  • sex
  • god
  • foobar
  • a
  • aaa
  • abc
  • test
  • temp
  • win
  • pc
  • asdf
  • secret
  • qwer
  • yxcv
  • zxcv
  • home
  • xxx
  • owner
  • login
  • Login
  • Coordinatore
  • Administrador
  • Verwalter
  • Ospite
  • administrator
  • Default
  • administrador
  • admins
  • teacher
  • student
  • superman
  • supersecret
  • kids
  • penis
  • wwwadmin
  • database
  • changeme
  • test123
  • user
  • private
  • 69
  • root
  • 654321
  • xxyyzz
  • asdfghjkl
  • mybaby
  • vagina
  • pussy
  • leet
  • metal
  • work
  • school
  • mybox
  • box
  • werty
  • baby
  • porn
  • homework
  • secrets
  • x
  • z
  • qwertyuiop
  • secret
  • Administrateur
  • abc123
  • password123
  • red123
  • qwerty
  • admin123
  • zxcvbnm
  • poiuytrewq
  • pwd
  • pass
  • love
  • mypc
  • mypass
  • pw

If the worm succeeds in connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

Activity

IRC Bot

The backdoor is controlled via an IRC bot that is created on a certain IRC server in a specific channel when the the backdoor's file is active.

The following oprerations can be performed via tbe bot:

  • display bot info
  • terminate bot
  • resolve host/ip by DNS
  • start an executable file
  • display current bot ID
  • change a nickname of a bot
  • open any file
  • remove bot
  • remove bot if it doesn't match certain criteria
  • generate random name for a bot
  • get bot status
  • display system info
  • check bot's uptime
  • quit the bot
  • flush bot's DNS cache
  • delete shares and disable DCOM
  • re-create shares and enable DCOM
  • run a command on a system
  • repeat the last action
  • enable or disable shell handler
  • list all available commands
  • redirect HTTPS traffic
  • redirect HTTP traffic
  • redirect traffic on certian sockets
  • load a plugin (unloading is not supported yet)
  • change IRC server that the bot connects to
  • reconned to IRC server
  • send a raw message to IRC server
  • send a private message
  • part a channel
  • print network info
  • change channel mode
  • gets host info
  • join a specified channel
  • checks if working from .edu domain
  • disconnect from IRC
  • enable sniffers (http, ftp, irc, bot)
  • spam AOL channel
  • enable IdentD server
  • save/load configuration settings to a file
  • accesses certain variables in configuration file
  • enable/disable starting as a service
  • adds/deletes autostart key in the Registry
  • execute command if certain conditions are met
  • download and execute a file from an ftp server
  • update the bot from an ftp server
  • download a file from ftp server
  • update the bot from http server
  • download a file from http server
  • visit a specified URL
  • log off current user
  • shutdown a computer
  • reboot a computer
  • kill specified process
  • list all processes

Scanning for Vulnerabilities & Infections

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities.

The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

Distributed Denial of Service attack

The backdoor can perform the following types of DDoS attacks:

  • HTTP flood
  • SYN flood
  • UDP flood
  • ICMP flood

When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

The backdoor sends 256000 bytes of random data to the following websites and checks the response times:

  • www.schlund.net
  • www.utwente.nl
  • www.xo.net
  • www.stanford.edu
  • www.lib.nthu.edu.tw
  • www.st.lib.keio.ac.jp

email Address Collection

The bot can harvest email addresses. It has the functionality to read user's Address Book and send the list of email addresses to the bot operator.

System Registry Information Collection

The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

Terminating Processes

Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:

  • _AVPM.EXE
  • _AVPCC.EXE
  • _AVP32.EXE
  • ZONEALARM.EXE
  • ZONALM2601.EXE
  • ZATUTOR.EXE
  • ZAPSETUP3001.EXE
  • ZAPRO.EXE
  • XPF202EN.EXE
  • WYVERNWORKSFIREWALL.EXE
  • WUPDT.EXE
  • WUPDATER.EXE
  • WSBGATE.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • WNT.EXE
  • WNAD.EXE
  • WKUFIND.EXE
  • WINUPDATE.EXE
  • WINTSK32.EXE
  • WINSTART001.EXE
  • WINSTART.EXE
  • WINSSK32.EXE
  • WINSERVN.EXE
  • WINRECON.EXE
  • WINPPR32.EXE
  • WINNET.EXE
  • WINMAIN.EXE
  • WINLOGIN.EXE
  • WININITX.EXE
  • WININIT.EXE
  • WININETD.EXE
  • WINDOWS.EXE
  • WINDOW.EXE
  • WINACTIVE.EXE
  • WIN32US.EXE
  • WIN32.EXE
  • WIN-BUGSFIX.EXE
  • WIMMUN32.EXE
  • WHOSWATCHINGME.EXE
  • WGFE95.EXE
  • WFINDV32.EXE
  • WEBTRAP.EXE
  • WEBSCANX.EXE
  • WEBDAV.EXE
  • WATCHDOG.EXE
  • W9X.EXE
  • W32DSM89.EXE
  • VSWINPERSE.EXE
  • VSWINNTSE.EXE
  • VSWIN9XE.EXE
  • VSSTAT.EXE
  • VSMON.EXE
  • VSMAIN.EXE
  • VSISETUP.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • VSCHED.EXE
  • VSCENU6.02D30.EXE
  • VSCAN40.EXE
  • VPTRAY.EXE
  • VPFW30S.EXE
  • VPC42.EXE
  • VPC32.EXE
  • VNPC3000.EXE
  • VNLAN300.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VIR-HELP.EXE
  • VFSETUP.EXE
  • VETTRAY.EXE
  • VET95.EXE
  • VET32.EXE
  • VCSETUP.EXE
  • VBWINNTW.EXE
  • VBWIN9X.EXE
  • VBUST.EXE
  • VBCONS.EXE
  • VBCMSERV.EXE
  • UTPOST.EXE
  • UPGRAD.EXE
  • UPDAT.EXE
  • UNDOBOOT.EXE
  • TVTMD.EXE
  • TVMD.EXE
  • TSADBOT.EXE
  • TROJANTRAP3.EXE
  • TRJSETUP.EXE
  • TRJSCAN.EXE
  • TRICKLER.EXE
  • TRACERT.EXE
  • TITANINXP.EXE
  • TITANIN.EXE
  • TGBOB.EXE
  • TFAK5.EXE
  • TFAK.EXE
  • TEEKIDS.EXE
  • TDS2-NT.EXE
  • TDS2-98.EXE
  • TDS-3.EXE
  • TCM.EXE
  • TCA.EXE
  • TC.EXE
  • TBSCAN.EXE
  • TAUMON.EXE
  • TASKMON.EXE
  • TASKMO.EXE
  • TASKMG.EXE
  • SYSUPD.EXE
  • SYSTEM32.EXE
  • SYSTEM.EXE
  • SYSEDIT.EXE
  • SYMTRAY.EXE
  • SYMPROXYSVC.EXE
  • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
  • SWEEP95.EXE
  • SVSHOST.EXE
  • SVCHOSTS.EXE
  • SVCHOSTC.EXE
  • SVC.EXE
  • SUPPORTER5.EXE
  • SUPPORT.EXE
  • SUPFTRL.EXE
  • STCLOADER.EXE
  • START.EXE
  • ST2.EXE
  • SSG_4104.EXE
  • SSGRATE.EXE
  • SS3EDIT.EXE
  • SRNG.EXE
  • SREXE.EXE
  • SPYXX.EXE
  • SPOOLSV32.EXE
  • SPOOLCV.EXE
  • SPOLER.EXE
  • SPHINX.EXE
  • SPF.EXE
  • SPERM.EXE
  • SOFI.EXE
  • UPDATE.EXE
  • SOAP.EXE
  • SMSS32.EXE
  • SMS.EXE
  • SMC.EXE
  • SHOWBEHIND.EXE
  • SHN.EXE
  • SHELLSPYINSTALL.EXE
  • SH.EXE
  • SGSSFW32.EXE
  • SFC.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SERVLCES.EXE
  • SERVLCE.EXE
  • SERVICE.EXE
  • SERV95.EXE
  • SD.EXE
  • SCVHOST.EXE
  • SCRSVR.EXE
  • SCRSCAN.EXE
  • SCANPM.EXE
  • SCAN95.EXE
  • SCAN32.EXE
  • SCAM32.EXE
  • SC.EXE
  • SBSERV.EXE
  • SAVENOW.EXE
  • SAVE.EXE
  • SAHAGENT.EXE
  • SAFEWEB.EXE
  • RUXDLL32.EXE
  • RUNDLL16.EXE
  • RUNDLL.EXE
  • RUN32DLL.EXE
  • RULAUNCH.EXE
  • RTVSCN95.EXE
  • RTVSCAN.EXE
  • RSHELL.EXE
  • RRGUARD.EXE
  • RESCUE32.EXE
  • RESCUE.EXE
  • REGEDT32.EXE
  • REGEDIT.EXE
  • REGED.EXE
  • REALMON.EXE
  • RCSYNC.EXE
  • RB32.EXE
  • RAY.EXE
  • RAV8WIN32ENG.EXE
  • RAV7WIN.EXE
  • RAV7.EXE
  • RAPAPP.EXE
  • QSERVER.EXE
  • QCONSOLE.EXE
  • PVIEW95.EXE
  • PUSSY.EXE
  • PURGE.EXE
  • PSPF.EXE
  • PROTECTX.EXE
  • PROPORT.EXE
  • PROGRAMAUDITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROCESSMONITOR.EXE
  • PROCDUMP.EXE
  • PRMVR.EXE
  • PRMT.EXE
  • PRIZESURFER.EXE
  • PPVSTOP.EXE
  • PPTBC.EXE
  • PPINUPDT.EXE
  • POWERSCAN.EXE
  • PORTMONITOR.EXE
  • PORTDETECTIVE.EXE
  • POPSCAN.EXE
  • POPROXY.EXE
  • POP3TRAP.EXE
  • PLATIN.EXE
  • PINGSCAN.EXE
  • PGMONITR.EXE
  • PFWADMIN.EXE
  • PF2.EXE
  • PERSWF.EXE
  • PERSFW.EXE
  • PERISCOPE.EXE
  • PENIS.EXE
  • PDSETUP.EXE
  • PCSCAN.EXE
  • PCIP10117_0.EXE
  • PCFWALLICON.EXE
  • PCDSETUP.EXE
  • PCCWIN98.EXE
  • PCCWIN97.EXE
  • PCCNTMON.EXE
  • PCCIOMON.EXE
  • PCC2K_76_1436.EXE
  • PCC2002S902.EXE
  • PAVW.EXE
  • PAVSCHED.EXE
  • PAVPROXY.EXE
  • PAVCL.EXE
  • PATCH.EXE
  • PANIXK.EXE
  • PADMIN.EXE
  • OUTPOSTPROINSTALL.EXE
  • OUTPOSTINSTALL.EXE
  • OTFIX.EXE
  • OSTRONET.EXE
  • OPTIMIZE.EXE
  • ONSRVR.EXE
  • OLLYDBG.EXE
  • NWTOOL16.EXE
  • NWSERVICE.EXE
  • NWINST4.EXE
  • NVSVC32.EXE
  • NVC95.EXE
  • NVARCH16.EXE
  • NUI.EXE
  • NTXconfig.EXE
  • NTVDM.EXE
  • NTRTSCAN.EXE
  • NT.EXE
  • NSUPDATE.EXE
  • NSTASK32.EXE
  • NSSYS32.EXE
  • NSCHED32.EXE
  • NPSSVC.EXE
  • NPSCHECK.EXE
  • NPROTECT.EXE
  • NPFMESSENGER.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NOTSTART.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • NORMIST.EXE
  • NOD32.EXE
  • NMAIN.EXE
  • NISUM.EXE
  • NISSERV.EXE
  • NETUTILS.EXE
  • NETSTAT.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSCANPRO.EXE
  • NETMON.EXE
  • NETINFO.EXE
  • NETD32.EXE
  • NETARMOR.EXE
  • NEOWATCHLOG.EXE
  • NEOMONITOR.EXE
  • NDD32.EXE
  • NCINST4.EXE
  • NC2000.EXE
  • NAVWNT.EXE
  • NAVW32.EXE
  • NAVSTUB.EXE
  • NAVNT.EXE
  • NAVLU32.EXE
  • NAVENGNAVEX15.NAVLU32.EXE
  • OUTPOST.EXE
  • NUPGRADE.EXE
  • NAVDX.EXE
  • NAVAPW32.EXE
  • NAVAPSVC.EXE
  • NAVAP.NAVAPSVC.EXE
  • AUTO-PROTECT.NAV80TRY.EXE
  • NAV.EXE
  • N32SCANW.EXE
  • MWATCH.EXE
  • MU0311AD.EXE
  • MSVXD.EXE
  • MSSYS.EXE
  • MSSMMC32.EXE
  • MSMSGRI32.EXE
  • MSMGT.EXE
  • MSLAUGH.EXE
  • MSINFO32.EXE
  • MSIEXEC16.EXE
  • MSDOS.EXE
  • MSDM.EXE
  • MSCONFIG.EXE
  • MSCMAN.EXE
  • MSCCN32.EXE
  • MSCACHE.EXE
  • MSBLAST.EXE
  • MSBB.EXE
  • MSAPP.EXE
  • MRFLUX.EXE
  • MPFTRAY.EXE
  • MPFSERVICE.EXE
  • MPFAGENT.EXE
  • MOSTAT.EXE
  • MOOLIVE.EXE
  • MONITOR.EXE
  • MMOD.EXE
  • MINILOG.EXE
  • MGUI.EXE
  • MGHTML.EXE
  • MGAVRTE.EXE
  • MGAVRTCL.EXE
  • MFWENG3.02D30.EXE
  • MFW2EN.EXE
  • MFIN32.EXE
  • MD.EXE
  • MCVSSHLD.EXE
  • MCVSRTE.EXE
  • MCTOOL.EXE
  • MCSHIELD.EXE
  • MCMNHDLR.EXE
  • MCAGENT.EXE
  • MAPISVC32.EXE
  • LUSPT.EXE
  • LUINIT.EXE
  • LUCOMSERVER.EXE
  • LUAU.EXE
  • LSETUP.EXE
  • LORDPE.EXE
  • LOOKOUT.EXE
  • LOCKDOWN2000.EXE
  • LOCKDOWN.EXE
  • LOCALNET.EXE
  • LOADER.EXE
  • LNETINFO.EXE
  • LDSCAN.EXE
  • LDPROMENU.EXE
  • LDPRO.EXE
  • LDNETMON.EXE
  • LAUNCHER.EXE
  • KILLPROCESSSETUP161.EXE
  • KERNEL32.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KEENVALUE.EXE
  • KAZZA.EXE
  • KAVPF.EXE
  • MCUPDATE.EXE
  • LUALL.EXE
  • KAVPERS40ENG.EXE
  • KAVLITE40ENG.EXE
  • JEDI.EXE
  • JDBGMRG.EXE
  • JAMMER.EXE
  • ISTSVC.EXE
  • ISRV95.EXE
  • ISASS.EXE
  • IRIS.EXE
  • IPARMOR.EXE
  • IOMON98.EXE
  • INTREN.EXE
  • INTDEL.EXE
  • INIT.EXE
  • INFWIN.EXE
  • INFUS.EXE
  • INETLNFO.EXE
  • IFW2000.EXE
  • IFACE.EXE
  • IEXPLORER.EXE
  • IEDRIVER.EXE
  • IEDLL.EXE
  • IDLE.EXE
  • ICSUPPNT.EXE
  • ICMON.EXE
  • ICLOADNT.EXE
  • ICLOAD95.EXE
  • IBMAVSP.EXE
  • IBMASN.EXE
  • IAMSTATS.EXE
  • IAMSERV.EXE
  • IAMAPP.EXE
  • HXIUL.EXE
  • HXDL.EXE
  • HWPE.EXE
  • HTPATCH.EXE
  • HTLOG.EXE
  • HOTPATCH.EXE
  • HOTACTIO.EXE
  • HBSRV.EXE
  • HBINST.EXE
  • HACKTRACERSETUP.EXE
  • GUARDDOG.EXE
  • GUARD.EXE
  • GMT.EXE
  • GENERICS.EXE
  • GBPOLL.EXE
  • GBMENU.EXE
  • GATOR.EXE
  • FSMB32.EXE
  • FSMA32.EXE
  • FSM32.EXE
  • FSGK32.EXE
  • FSAV95.EXE
  • FSAV530WTBYB.EXE
  • FSAV530STBYB.EXE
  • FSAV32.EXE
  • FSAV.EXE
  • FSAA.EXE
  • FRW.EXE
  • FPROT.EXE
  • FP-WIN_TRIAL.EXE
  • FP-WIN.EXE
  • FNRB32.EXE
  • FLOWPROTECTOR.EXE
  • FIREWALL.EXE
  • FINDVIRU.EXE
  • FIH32.EXE
  • FCH32.EXE
  • FAST.EXE
  • FAMEH32.EXE
  • F-STOPW.EXE
  • F-PROT95.EXE
  • F-PROT.EXE
  • F-AGNT95.EXE
  • EXPLORE.EXE
  • EXPERT.EXE
  • EXE.AVXW.EXE
  • ICSUPP95.EXE
  • EXANTIVIRUS-CNET.EXE
  • EVPN.EXE
  • ETRUSTCIPE.EXE
  • ETHEREAL.EXE
  • ESPWATCH.EXE
  • ESCANV95.EXE
  • ESCANHNT.EXE
  • ESCANH95.EXE
  • ESAFE.EXE
  • ENT.EXE
  • EMSW.EXE
  • EFPEADM.EXE
  • ECENGINE.EXE
  • DVP95_0.EXE
  • DVP95.EXE
  • DSSAGENT.EXE
  • DRWEBUPW.EXE
  • DRWEB32.EXE
  • DRWATSON.EXE
  • DPPS2.EXE
  • DPFSETUP.EXE
  • DPF.EXE
  • DOORS.EXE
  • DLLREG.EXE
  • DLLCACHE.EXE
  • DIVX.EXE
  • DEPUTY.EXE
  • DEFWATCH.EXE
  • DEFSCANGUI.EXE
  • DEFALERT.EXE
  • DCOMX.EXE
  • DATEMANAGER.EXE
  • Claw95.EXE
  • CWNTDWMO.EXE
  • CWNB181.EXE