File Investigation Report
MSCD.EXE
System Back DoorYour PC may be infected. The presence of a file called MSCD.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx will scan your PC in less than two minutes and check for millions of spyware and malware infections including MSCD.EXE. Don't put your confidential data, or your identity at risk, check your PC now with Prevx.
Associated Malware Groups
The unsafe files using this name are associated with the malware groups:
- System Back Door
- Cloaked Malware
- Malicious Software
File Behavior
MSCD.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Writes to another Process's Virtual Memory (Process Hijacking)
- This process creates other processes on disk
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- This Process Deletes Other Processes From Disk
- Registers a Dynamic Link Library File
MSCD.EXE has been the subject of the following behavior:
- Executed from Temporary Folders
- Created as a process on disk
- Added as a Registry Key (DXCOM) to auto start Programs on system start up
- Has code inserted into its Virtual Memory space by other programs
- Executed as a Process
- Deleted as a process from disk
- Copied to multiple locations on the system
Country Of Origin
The filename MSCD.EXE was first seen on Sep 14 2007 in the following geographical regions of the Prevx community:
- The UNITED KINGDOM on Sep 14 2007
- NETHERLANDS on Sep 30 2007
- SPAIN on Sep 30 2007
- SERBIA AND MONTENEGRO on Nov 23 2007
- The UNITED STATES on Jan 19 2008
- SWEDEN on Jan 19 2008
- FRANCE on Feb 15 2008
File Name Aliases
MSCD.EXE can also use the following file names:
- 90577243.VXE
- 86867962.EXE
- 71932212.EX_
- 99456171.EXE
- 81079619.EXE
- SUPPOR.EXE
- 68998254.SVD
- 76321512.EXE
- 3.EXE
- 99426645.SVD
- SUPORT.EXE
- 34519005.EXE
- 84348931.EXE
- TEMP.EXE
- CONTECT.EXE
- MSCD.EXE.ORG
- INSTALL.EXE
- 51185411.SVD
- 85837901.DAT
Filesizes
The following file size has been seen:
- 248,832 bytes
- 225,792 bytes
- 593,920 bytes
- 650,240 bytes
- 515,584 bytes
- 108,546,746 bytes
- 830,464 bytes
Vendor, Product and Version Information
These files have no vendor, product or version information specified in the file header.
File Type
The filename MSCD.EXE refers to many versions of an executable program.
File Activity
One or more files with the name MSCD.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\windows\system32\msdp.dll
- Opens/modifes c:\autoexec.bat
- Creates c:\docume~1\user\locals~1\temp\00000a7000000a80.ur
- Deletes c:\docume~1\user\locals~1\temp\00000a7000000a80.ur
Registry Activity
One or more files with the name MSCD.EXE creates or modifies the following registry keys and values:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main CompatibilityFlags value:
- HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d} Enable value:
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main FullScreen no
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Window_Placement [REG_BINARY, size: 44 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar Locked value:
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sarah5554945@live.co.uk usertileurl http://blufiles.storage.msn.com/static/18
- HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\UserExtendedProperties\sarah5554945@live.co.uk idtiletimestamp 2008-03-11T12:53:22.000000-00:00
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom ZoomFactor [REG_DWORD, value: 000186A0]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F UserFile [REG_BINARY, size: 79044 bytes]
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main RunOnceHasShown value:
Website Activity
One or more files with the name MSCD.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:127.0.0.1:1089 Port:23
- Port 80 IP:207.46.250.101
- Port 80 IP:65.55.187.206
- Port 80 IP:63.236.111.59