HEUR:Packed.Win32.Upantix.gen (Kaspersky), GenPack:Generic.Malware.Sdld.870A1045 (B) (Emsisoft), GenPack:Generic.Malware.Sdld.870A1045 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 019d8d27e0d1b794a79432923aca3de7
SHA1: d89f4dbedcb37c7a7c8f0d8edce340df42201d3e
SHA256: d88fa84dec3855e104d55a5ab0c32e890e79166056836307fd554eb0c7b6c2f9
SSDeep: 3072:c7/4JrrY1111rciCt1KAAlrw1ac/2doA8wbzj:c7/4JrrY11114iEKnJIU/8g
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):No processes have been created.The GenPack injects its code into the following process(es):
%original file name%.exe:2748
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2748 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\FlatOut trainer.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
C:\Windows\win32dc\Half-Life 2(nocd).exe (10879 bytes)
C:\Windows\win32dc\DAoC_patch.exe (6639 bytes)
C:\Windows\win32dc\Half-Life 2_fix.exe (673 bytes)
C:\Windows\win32dc\UT2004_patch.exe (2533 bytes)
C:\Windows\win32dc\Silent Hill 4 nocd.exe (10879 bytes)
C:\Windows\win32dc\Sims 2(nocd).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 serial.exe (673 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (17935 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
20915eecb8e7859df3d14145764f2f90 | c:\Windows\win32dc\DAoC_patch.exe |
bece151f581c0fd95f79a93db9de8f02 | c:\Windows\win32dc\Doom 3(fix).exe |
dafad1cf86f100f5e9a9b408f79494e6 | c:\Windows\win32dc\Half-Life 2(nocd).exe |
822e502a6c6690b7eabc6a6b71a5a889 | c:\Windows\win32dc\Silent Hill 4 nocd.exe |
544369fd76f365153bf535061ab93891 | c:\Windows\win32dc\UT2004_patch.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\FlatOut trainer.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
C:\Windows\win32dc\Half-Life 2(nocd).exe (10879 bytes)
C:\Windows\win32dc\DAoC_patch.exe (6639 bytes)
C:\Windows\win32dc\Half-Life 2_fix.exe (673 bytes)
C:\Windows\win32dc\UT2004_patch.exe (2533 bytes)
C:\Windows\win32dc\Silent Hill 4 nocd.exe (10879 bytes)
C:\Windows\win32dc\Sims 2(nocd).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 serial.exe (673 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (17935 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 61440 | 77824 | 76288 | 5.51903 | 1393f3858368755f7e7a25d69f7bde92 |
.rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2748:
`.rsrc
`.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&pWebServ
&pWebServ
O^nKey
O^nKey
URLY
URLY
\-%c)
\-%c)
w-8 %u"D
w-8 %u"D
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
mpr.dll
mpr.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
wsock32.dll
wsock32.dll
%original file name%.exe_2748_rwx_00401000_00014000:
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
&pWebServ
&pWebServ
O^nKey
O^nKey
URLY
URLY