HEUR:Packed.Win32.Upantix.gen (Kaspersky), GenPack:Generic.Malware.Sdld.1518CA4F (B) (Emsisoft), GenPack:Generic.Malware.Sdld.1518CA4F (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c77c898114c383dfa51013e011a953f5
SHA1: 31a222f4187246972458ae59c4dd59bcdd55b4a6
SHA256: b494047d8dc235a8cb4aa7ab30cff6ba2b38fe24396faa477c317e9986ef0d86
SSDeep: 3072:m22222C8vvv3XXXtRutxwwwIo3hh1DQAAlrw1ac/2doA8wbzj:m22222CyXXXy9odDQnJIU/8g
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):No processes have been created.The GenPack injects its code into the following process(es):
%original file name%.exe:1792
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1792 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\Half-Life 2_cdfix.exe (14311 bytes)
C:\Windows\win32dc\Half-Life 2 cheat.exe (10879 bytes)
C:\Windows\win32dc\FlatOut codes.exe (2533 bytes)
C:\Windows\win32dc\Half-Life 2(fix).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4_nocd.exe (6639 bytes)
C:\Windows\win32dc\UT2004 fix.exe (6639 bytes)
C:\Windows\win32dc\Sims 2_codes.exe (6639 bytes)
C:\Windows\win32dc\Sims 2 hack.exe (14311 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (673 bytes)
C:\Windows\win32dc\DAoC_hack.exe (14311 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 14adccde406dc5dcc07b1e3d0453ab94 | c:\Windows\win32dc\DAoC_hack.exe |
| bd97851c140c0fad6eb948c2bbc560ba | c:\Windows\win32dc\FlatOut codes.exe |
| bb1fbf5b9e25da5bd217a6f147adffd4 | c:\Windows\win32dc\Half-Life 2 cheat.exe |
| 82bd97959466f2b7cb6fa1bf354d6242 | c:\Windows\win32dc\Half-Life 2_cdfix.exe |
| 42c1796183e048c8ea91eb07cf5aea90 | c:\Windows\win32dc\Silent Hill 4_nocd.exe |
| 1504f1953f5e68b731e29eb3044d1b47 | c:\Windows\win32dc\Sims 2 hack.exe |
| a6a6026a5f5b0ffce5d869a72b73b746 | c:\Windows\win32dc\Sims 2_codes.exe |
| 51be7173ae71676016da910942c8f32d | c:\Windows\win32dc\UT2004 fix.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\Half-Life 2_cdfix.exe (14311 bytes)
C:\Windows\win32dc\Half-Life 2 cheat.exe (10879 bytes)
C:\Windows\win32dc\FlatOut codes.exe (2533 bytes)
C:\Windows\win32dc\Half-Life 2(fix).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4_nocd.exe (6639 bytes)
C:\Windows\win32dc\UT2004 fix.exe (6639 bytes)
C:\Windows\win32dc\Sims 2_codes.exe (6639 bytes)
C:\Windows\win32dc\Sims 2 hack.exe (14311 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (673 bytes)
C:\Windows\win32dc\DAoC_hack.exe (14311 bytes) - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 61440 | 77824 | 76288 | 5.5233 | 8ae8eef372fda48ddcdd1ecf9efd86dc |
| .rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 21
230ed1c21cbae21f07db8f781738f973
d3e94c42aac122061e8205f35a8a5dd1
5ee473440db5ac6c337bb3989aee01e3
e1a4565d944845da6f92a31367a715f3
9445a7b3fb7c75d7bdb73dfad70c1749
5f37a9a96fd4084d4339510879ce4afc
b2a43ece6ac085c69550eb765769dc93
af1a4f0deba32932d8ed2d3ef3eb211b
712671e9c79183925c4cd8d7bd2ea550
d0b912ba9ec6474e85f3f475346c5d27
bc17624bec254ba0fc8f983ba19dc419
d607cc8133dcdf89f65b53b7b629d36c
c69de3b8d2b5bd41655035420cb55849
79a3f6debdd098fb226a9864d375266b
1bb0d1e9cafce8769a91a34af7ccf6b2
d02b6567536ab781d2f34ffb9d14985e
b8e0aed539144b220cfe090d16ead1ce
96d9fb85c51af138adea8e5a509785cb
7ccfae4cdaba8496f85cd0ceb7037237
6f57c513dc86cfb2865c5129e7ed3ed7
44805a7339d3fcc523970ed551ee05c8
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The GenPack connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1792:
`.rsrc
`.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
.UnT)
.UnT)
&pWebServ
&pWebServ
URL!w
URL!w
_%'(2($3
_%'(2($3
4-%7x[
4-%7x[
#"%$'&)( *-,/.1]
#"%$'&)( *-,/.1]
KERNEL32.DLL
KERNEL32.DLL
advapi32.dll
advapi32.dll
mpr.dll
mpr.dll
oleaut32.dll
oleaut32.dll
shell32.dll
shell32.dll
URLMON.DLL
URLMON.DLL
user32.dll
user32.dll
wininet.dll
wininet.dll
wsock32.dll
wsock32.dll
%original file name%.exe_1792_rwx_00401000_00014000:
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:Fisier Executat
:Fisier Executat
(Director Windows:
(Director Windows:
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
us.undernet.org
us.undernet.org
KWindows
KWindows
&pWebServer
&pWebServer
GetWindowsDirectoryA
GetWindowsDirectoryA
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ShellExecuteA
ShellExecuteA
URLDownloadToFileA
URLDownloadToFileA
GetKeyboardType
GetKeyboardType
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
.UnT)
.UnT)
&pWebServ
&pWebServ
URL!w
URL!w