Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cd4a79c21c3fdf47a5f5c9ee8e74bcfc
SHA1: b291d7a02067c7fe03b76eb517a757a47498bd2b
SHA256: 652f6b65eb7499eebbe68231065e0d3e8e6e5fcbd0ea3d6bdcf1f1a6d407e0fc
SSDeep: 24576:/gFkg R9SDI5xJyTzgLqZQg2v58fdCUO/A5d7okvyhZHfsQgGU6iYkf:IKgI9SGJGcLmE8f0UO/W7vyhZHfsV6iN
Size: 1306032 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1916
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1916 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\Quake3 nocd.exe (13795 bytes)
C:\Windows\win32dc\DAoC(cdfix).exe (7971 bytes)
C:\Windows\win32dc\Quake3_cdfix.exe (7971 bytes)
C:\Windows\win32dc\BattleField 1942(patch).exe (8583 bytes)
C:\Windows\win32dc\DAoC cdfix.exe (24843 bytes)
C:\Windows\win32dc\Counter-Strike(serial).exe (13795 bytes)
C:\Windows\win32dc\DAoC_cdfix.exe (13795 bytes)
C:\Windows\win32dc\BattleField 1942 serial.exe (11338 bytes)
C:\Windows\win32dc\Half-Life 2 codes.exe (18734 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
ce05cb7bd2beedf737c7ff48e97f61f3 | c:\Windows\win32dc\BattleField 1942 serial.exe |
3d60360057dc1354823853b0ce35acb4 | c:\Windows\win32dc\BattleField 1942(patch).exe |
32aaad1dd69e006cc42322ef06748df5 | c:\Windows\win32dc\Counter-Strike(serial).exe |
ea6b9987c77d3d342728576dd77a9db2 | c:\Windows\win32dc\DAoC cdfix.exe |
f3df7746f3dc15cc6da11c70d2bc937b | c:\Windows\win32dc\DAoC_cdfix.exe |
a731371345905e1ee17215bda8838617 | c:\Windows\win32dc\Half-Life 2 codes.exe |
6bf933d1b091926361fe2c88a4112654 | c:\Windows\win32dc\Quake3 nocd.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1916
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\Quake3 nocd.exe (13795 bytes)
C:\Windows\win32dc\DAoC(cdfix).exe (7971 bytes)
C:\Windows\win32dc\Quake3_cdfix.exe (7971 bytes)
C:\Windows\win32dc\BattleField 1942(patch).exe (8583 bytes)
C:\Windows\win32dc\DAoC cdfix.exe (24843 bytes)
C:\Windows\win32dc\Counter-Strike(serial).exe (13795 bytes)
C:\Windows\win32dc\DAoC_cdfix.exe (13795 bytes)
C:\Windows\win32dc\BattleField 1942 serial.exe (11338 bytes)
C:\Windows\win32dc\Half-Life 2 codes.exe (18734 bytes)
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
.tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
.reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
.rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1533
ef2d2eb0996329df1775d6f51f5b214a
a9e14804d12437c86fffb947dc8934c6
a92c782c8cd0e74fc448217f3a2d0f88
aa29865a7a5ab06594e8eeda2d96c656
a8889e5abb1e9319d1b1bfaa5e6ba737
a6ff4fb6cbff7d7e4721ea2e9f65990f
a5088b2a35063ea7d0efd8c630660cf6
a4a1c6e5b98d35556dd91defed3e8453
a3b794fbcba90520b1c680b039b2606e
a3af7ff63f458c86f28522d5ec47312d
a368bbced141b7e07714011c3a65efe2
a291e15e96b7b5297df1c26406e738ef
a0fb55f0abefa778b278836aafcff62f
a0f5d3be5f6071f13e462eea1dd5b96b
a06019c42444274e843800451d6d7c33
a004798d5e45ff1f440469607fa3b0e8
9fe7d29faa30f9f73ade752a19653d9c
9fb9f59a288c37807445a3aa26f54378
9f290bae77987f4ddfa81ad3d3fdb60f
9e8de8de5dd4e9d436d6c9d2fe66b733
9deb42629994c4015fdbd316791c18cc
9de512c8216acb8683ab7807af1d0fbf
9cfdbed905228fbb812ffa6cef13b986
9cc62848e63bbf2a32edced6ef2d0c8f
9b3b5c9ac29226fac3c222544fa86eac
9a8291fba75ccbf101e7baf3e330fd0e
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1916:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer