HEUR:Packed.Win32.Upantix.gen (Kaspersky), GenPack:Generic.Malware.Sdld.A8363A66 (B) (Emsisoft), GenPack:Generic.Malware.Sdld.A8363A66 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 491d0b706ac85b6611f36794bc6592b2
SHA1: f04799735fffe9c678ce8054f9fe3869d34cf304
SHA256: fe77b2581a4686408a4e9990c239796f26b78ce9a1f375488765f7636ee12b9d
SSDeep: 3072:6ZLLWQa0rmeeeec1pcQ7JYYYYqAAlrw1ac/2doA8wbzj:6ZLL99rwnJIU/8g
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):No processes have been created.The GenPack injects its code into the following process(es):
%original file name%.exe:3380
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3380 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\Doom 3_codes.exe (10879 bytes)
C:\Windows\win32dc\UT2004 patch.exe (10879 bytes)
C:\Windows\win32dc\FlatOut trainer.exe (17935 bytes)
C:\Windows\win32dc\FlatOut serial.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4_crack.exe (14311 bytes)
C:\Windows\win32dc\DAoC nocd.exe (2533 bytes)
C:\Windows\win32dc\Counter-Strike cdfix.exe (10879 bytes)
C:\Windows\win32dc\Counter-Strike_codes.exe (10879 bytes)
C:\Windows\win32dc\DAoC patch.exe (17935 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
2e024004c02bdc5037d0e94d32691c9d | c:\Windows\win32dc\Counter-Strike cdfix.exe |
8043992bd3902988b69a5c8cad98b05d | c:\Windows\win32dc\Counter-Strike_codes.exe |
a0ba1c142857792c0850f352bba5d788 | c:\Windows\win32dc\DAoC nocd.exe |
cc496bd0e4cdb2bdf8d4669a99e607fb | c:\Windows\win32dc\DAoC patch.exe |
5e10f993d127f861b9b5f439991e2e3f | c:\Windows\win32dc\Doom 3_codes.exe |
a330b9430651d3340f2886699b85e14b | c:\Windows\win32dc\FlatOut trainer.exe |
e3888782383e762812a1647ca01d4e6c | c:\Windows\win32dc\Silent Hill 4_crack.exe |
0dd84ce69bf012cdebc2bd80c335aaf7 | c:\Windows\win32dc\UT2004 patch.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\Doom 3_codes.exe (10879 bytes)
C:\Windows\win32dc\UT2004 patch.exe (10879 bytes)
C:\Windows\win32dc\FlatOut trainer.exe (17935 bytes)
C:\Windows\win32dc\FlatOut serial.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4_crack.exe (14311 bytes)
C:\Windows\win32dc\DAoC nocd.exe (2533 bytes)
C:\Windows\win32dc\Counter-Strike cdfix.exe (10879 bytes)
C:\Windows\win32dc\Counter-Strike_codes.exe (10879 bytes)
C:\Windows\win32dc\DAoC patch.exe (17935 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 61440 | 77824 | 76288 | 5.52275 | 0d6d2c630eb350357bb770282a4c1bc8 |
.rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 102
160d678a252aefd448f7bd865300d247
ba46a5833f97662f8a6ee78799bbdae0
da6e382e08a3c834910e324e8c374f70
e2ece1575866f0ca2f45b1108035502d
e90a05afabf9d324c7dfc8a7a274009a
d9198e914ce05f856cedab900e4de37f
b600785770e6decccbec456bcb286410
97363988837118be3c05b952e1bb7d70
9e2328c7872843ff5149b70751e78b2c
fd2c800d3c78560591aee7f1b77549bc
f53a93314c6fc7ee2eb3f932e883d090
3fa15d68ddc812b05674674d25230669
ac52f0d2d4e80319ca96ee9edad1904b
a27dc1ec88ee99ea69da31a6b3db6d11
e84e9a54eb52f8ea74f73388827ee43f
cebcc604c5708853e6d22085c6daec41
ce0718bffbecccb038720866330bb4c1
8e23290f91f5c9b2cd3774e9079e3cc2
5ccab02f261101bc9a4a839f2a43a04e
5ff92265c5224c46d90f70c2b8e3dc2a
229ce8cf36aa7ee1b800b2b4a9025a5b
17c9476d094315b62e9c40b5c709e9b5
f581ca27f039a9dcfc29d748b14866f1
eb0105edfc43d14854a6735f4591551c
e5b37efa77f703c8fc717e2d61036389
d8a63c42ec102be1704df4975ff8f5e5
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3380:
`.rsrc
`.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&pWebServ
&pWebServ
O^nKey
O^nKey
URLg
URLg
%6umf
%6umf
uv%FX
uv%FX
.RNWLsQUj0
.RNWLsQUj0
@)%D;
@)%D;
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
mpr.dll
mpr.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
wsock32.dll
wsock32.dll
%original file name%.exe_3380_rwx_00401000_00014000:
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&pWebServ
&pWebServ
O^nKey
O^nKey
URLg
URLg