What is frmwrk32.exe

This is cloaked malware and malware downloader.

Also use the following names:

• 64439744.EXE
• 71698828.DAT
• VRTA.TMP
• TOP[n].TXT
• 6.TMP
• 8.TMP
• 93511318.DAT
• 92837428.BAD
• 11244301.EXE
• LOADER[n].EXE
• WJQS.EXE
• A.EXE
• SVCHOST.EXE
• FRMWRK32/A.EXE
• FRMWRK32/A0051148.EXE
• FRMWRK32/U-STORE[n].GIF
• FRMWRK32/FRMWRK32.EXE
• RDL4.TMP
• 45049727.EXE
• 22690229.EXE
• 303350.EXE
• 06696265.EXE
• 78935166.EXE
• LOADER.EXE

File activity:

• Deletes c:\windows\system32\frmwrk32.exe
• Copies filec:\windows\system32\frmwrk32.exe to c:\windows\system32\frmwrk32.exe
• Creates c:\windows\system32\ntdll64.exe
• Creates c:\windows\system32\win32hlp.cnf
• Creates c:\windows\system32\warning.gif
• Creates c:\windows\system32\ahtn.htm
• Creates c:\docume~1\user\locals~1\temp\cscript.exe
• Creates c:\windows\cscript.exe
• Deletes c:\docume~1\user\locals~1\temp\ntdll64.dll
• Creates c:\docume~1\user\locals~1\temp\ntdll64.dll
• Deletes c:\docume~1\user\locals~1\temp\mousehook.dll
• Creates c:\docume~1\user\locals~1\temp\mousehook.dll
• Moves c:\windows\system32\userinit.exe to c:\windows\system32\init32.exe
• Copies filec:\windows\system32\ntdll64.exe to c:\windows\system32\userinit.exe
• Copies filec:\windows\system32\ntdll64.exe to c:\windows\system32\dllcache\userinit.exe
• Deletes c:\windows\system32\ntdll64.ex

Registry Activity:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr value:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoSetActiveDesktop value:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop NoChangingWallpaper value:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoActiveDesktopChanges value:
• HKEY_CURRENT_USER\Software 2a422c91-6984-47e4-94be-04c4fad5f8d8 value:
• HKEY_CURRENT_USER\Software 1099ce4a-ff51-4a8d-ab3c-c74b9c06e46f [REG_DWORD, value: 0000009F]
• HKEY_CURRENT_USER\Software\Microsoft WinId {564F3BEB-5C60-48E6-A249-2EF6CE6B0C31}