HEUR:Packed.Win32.Upantix.gen (Kaspersky), GenPack:Generic.Malware.Sdld.B623D2C8 (B) (Emsisoft), GenPack:Generic.Malware.Sdld.B623D2C8 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c9258cd04d3485dbba048cf9ff62add3
SHA1: 685e82da0d831cbac76fa76787f98e11025e0cbc
SHA256: 4876ac8ab3232b0a1951028cdad57709217cad3c10d1216629fe302b3b4de2d1
SSDeep: 3072:3mmKzwrBBBifffffDQpjAAlrw1ac/2doA8wbzj:3mmKzwpjnJIU/8g
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):No processes have been created.The GenPack injects its code into the following process(es):
%original file name%.exe:2936
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2936 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\DAoC_serial.exe (673 bytes)
C:\Windows\win32dc\FlatOut_cdfix.exe (6639 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (7312 bytes)
C:\Windows\win32dc\Counter-Strike(hack).exe (14311 bytes)
C:\Windows\win32dc\Doom 3 codes.exe (6639 bytes)
C:\Windows\win32dc\Quake3(patch).exe (6639 bytes)
C:\Windows\win32dc\Doom 3 codes.exe (2533 bytes)
C:\Windows\win32dc\DAoC hack.exe (10879 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (6639 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 7b260858d0c2326facfab63f866dd0d5 | c:\Windows\win32dc\Counter-Strike(hack).exe |
| 403076d4fe6c5b0667d6cad26a6c674b | c:\Windows\win32dc\DAoC hack.exe |
| f613f56483521285cc97ea4fb4043d5c | c:\Windows\win32dc\Doom 3 codes.exe |
| aac41b2634345a0a7b30be0596589590 | c:\Windows\win32dc\Doom 3 codes.exe |
| b64235a3bdcf42f2534b8eb1d167d7ed | c:\Windows\win32dc\Doom 3(fix).exe |
| 18ba65afffcbd92b3c68d64eb3fdad22 | c:\Windows\win32dc\FlatOut_cdfix.exe |
| b6a1dcc5020ffdbfdbce83cee6895982 | c:\Windows\win32dc\Quake3(patch).exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\DAoC_serial.exe (673 bytes)
C:\Windows\win32dc\FlatOut_cdfix.exe (6639 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (7312 bytes)
C:\Windows\win32dc\Counter-Strike(hack).exe (14311 bytes)
C:\Windows\win32dc\Doom 3 codes.exe (6639 bytes)
C:\Windows\win32dc\Quake3(patch).exe (6639 bytes)
C:\Windows\win32dc\Doom 3 codes.exe (2533 bytes)
C:\Windows\win32dc\DAoC hack.exe (10879 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (6639 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 61440 | 77824 | 76288 | 5.52121 | 736bde0f978ebc23d28f85e4932c89c2 |
| .rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 77
0e8cc3029d3acf2b7758eb0168804d9e
f9990007d6590bd13269080bb6c21ca1
efce4f8851962bafee5777844e5b1e92
ef8efd31a93b37726b6548cc32d15c8b
ea2f5c3f421b7f54e6e90c6e0be9c4bb
d1fceadc2ec13c77c64691677b455fcc
6bc2c3f22d75f318cce1fbf50a362a9f
5bb7eb12e7f44dbe3727e6b9b5858ebb
027836c1dff19350fd4534c661cb6372
ef4f4829f04358e403d3c7d7c555f03b
e953f4d6eff1ff48f58b73fb1a8cd75a
e17c6e18bad60f0c0d0f9371a130bec8
c74b71dfa83b878c345d2dd13cb9f84e
8ebf91afaa3f36629e3bc1bc31db9c3d
8a95b5bd4327b0338b95a544dafaa533
794ec7feff497f63da9ea049bc4141e0
36b761531cc64940dd5859c9eb10125d
30525465afeecf6da2833625e2554e8c
29d725c5009d591759099020aeab702e
1c5dc4296f3c4f7fbcc09f098bf3efc6
fe81d1e58fe7052a28fce71e0b5c2ce5
ee57e38250b8429c9841000c00fc122c
94ab19937152a6126a257c02a248fce2
8a7cb6d0600d54911896cb1b5c031292
70ee15b2f5b973043d8a5d63dc51275a
6e43b10d7acf40e331e91eac679197cd
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2936:
`.rsrc
`.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&.TwI)
&.TwI)
&pWebS
&pWebS
O^nKey
O^nKey
~URL!wn}
~URL!wn}
m%dUPfbZVQ
m%dUPfbZVQ
ET_.Tol
ET_.Tol
BF.dd
BF.dd
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
mpr.dll
mpr.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
wsock32.dll
wsock32.dll
%original file name%.exe_2936_rwx_00401000_00014000:
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&.TwI)
&.TwI)
&pWebS
&pWebS
O^nKey
O^nKey
~URL!wn}
~URL!wn}