Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 283712ab64437b73ecda64d9355ab41e
SHA1: 874e7cab7c1de15f622fa7a5e306ee2675817182
SHA256: f1ee860f4503daec0cc4b3ea1ebd2cbdb09fa8c4a3eca674a697b1d3db6deff2
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1FHCp1sFmWP:IKgI9SGJpU8BQPL9CeVp
Size: 1060579 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1976
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1976 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\BattleField 1942 patch.exe (8591 bytes)
C:\Windows\win32dc\Half-Life 2 crack.exe (8591 bytes)
C:\Windows\win32dc\Silent Hill 4_fix.exe (7433 bytes)
C:\Windows\win32dc\Silent Hill 4 cdfix.exe (9603 bytes)
C:\Windows\win32dc\Half-Life 2 nocd.exe (9603 bytes)
C:\Windows\win32dc\Quake3_crack.exe (9093 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9603 bytes)
C:\Windows\win32dc\Sims 2(cheat).exe (8591 bytes)
C:\Windows\win32dc\UT2004 serial.exe (9093 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (7433 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
cfa3e4a99acd9836023aed009e505ce8 | c:\Windows\win32dc\BattleField 1942 patch.exe |
362da471a1660077f9011e3058776594 | c:\Windows\win32dc\Half-Life 2 crack.exe |
1d5952c559933dc0c5ed8cabb62287e4 | c:\Windows\win32dc\Half-Life 2 nocd.exe |
3df14699575013febc7fe1c19c00fa91 | c:\Windows\win32dc\Quake3_crack.exe |
958b01d5fe9caf6082a12778e679a42c | c:\Windows\win32dc\Silent Hill 4 cdfix.exe |
46301a01b161629129f514ad5f4d6532 | c:\Windows\win32dc\Silent Hill 4 crack.exe |
b65264e248b9c4fa8992e59507d1e386 | c:\Windows\win32dc\Sims 2(cheat).exe |
a6a1e8ad87505af3a2e828597e3982c3 | c:\Windows\win32dc\UT2004 serial.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1976
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\BattleField 1942 patch.exe (8591 bytes)
C:\Windows\win32dc\Half-Life 2 crack.exe (8591 bytes)
C:\Windows\win32dc\Silent Hill 4_fix.exe (7433 bytes)
C:\Windows\win32dc\Silent Hill 4 cdfix.exe (9603 bytes)
C:\Windows\win32dc\Half-Life 2 nocd.exe (9603 bytes)
C:\Windows\win32dc\Quake3_crack.exe (9093 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9603 bytes)
C:\Windows\win32dc\Sims 2(cheat).exe (8591 bytes)
C:\Windows\win32dc\UT2004 serial.exe (9093 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (7433 bytes)
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
.tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
.reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
.rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1059
ef2d2eb0996329df1775d6f51f5b214a
2221f945d2e24419e44d4846342f64ca
21467b3588fd0d7188d2a42ad6f3408b
1d17cf218087e0d263ab73c11c3a3dbc
1c38212889e33cbd55a7e8623a010ec4
1b430c1b6c16532b13f7b0af3830548d
1ad45a8782f083d456b0da8544a519a0
1ab01c65855fde6f4400ad8519129b28
1860e83395b0ade6d9f556ae3590d256
1603428574fd5f4e1b880386fec4e637
0fae6304116dcfca2affe3098d9ee5f0
0ed0b5dbd2129e95ad5cecdfd95d3de9
0e59db4faa433b60312aace8ae8e2450
0b4a57a82fe3b65506a0142243e31de1
0ca97d80f818716c0eac3d8ded1b5597
0ac45d8bf355bc68f72fa1a4d5d11597
0a8b55f2228e223ce41658373ca26864
09e5835b700046bd4765257197a5c672
064890490994c9ca5139a52535cd7e84
0768988ddf8fd355a96b5f89fcdfb8aa
0421992f4b14b87a80bd41514eed76b9
03d7facd70b419076541a17a95d7dad5
021b894f14f878bc2034b6bb26eff84c
f8659db37cc2721adf444731bd7e37a6
f7d75ec459b9a924b4f67c4833af6dc6
f1a403a990e9d920f4ac7307373b0e0a
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1976:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer