Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 6bbdeaae367fd0b7abe1713dbb9d6539
SHA1: 9664217d037f0bc20d67af3d41bc1bc8ca2d7447
SHA256: d001c58b5d2467332812ed7528f017aa02cb386bfdf309b0e14599835a661fcc
SSDeep: 24576:/gFkg R9SDI5xJyTzgLqZQg2v58fdCUO/A5d7okvyhZHfsQgGU6iYkL:IKgI9SGJGcLmE8f0UO/W7vyhZHfsV6id
Size: 1292723 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:2388
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2388 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\Counter-Strike patch.exe (7971 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (15901 bytes)
C:\Windows\win32dc\Sims 2_patch.exe (10897 bytes)
C:\Windows\win32dc\DAoC_cdfix.exe (8555 bytes)
C:\Windows\win32dc\Half-Life 2(cdfix).exe (15901 bytes)
C:\Windows\win32dc\Sims 2_serial.exe (7971 bytes)
C:\Windows\win32dc\Doom 3 hack.exe (7971 bytes)
C:\Windows\win32dc\FlatOut(trainer).exe (7971 bytes)
C:\Windows\win32dc\Sims 2 cdfix.exe (8555 bytes)
C:\Windows\win32dc\Sims 2 cheat.exe (10897 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
aa2be04f4b1a2e5e684dfd3485a39fbc | c:\Windows\win32dc\DAoC_cdfix.exe |
ac0e5467dbb0e7c5802f4dec7c5b722f | c:\Windows\win32dc\Half-Life 2(cdfix).exe |
88d93d4a0d67bd19890d6b6440ed3eec | c:\Windows\win32dc\Silent Hill 4 fix.exe |
f1c3f7a0b890be1511d0dbcad0e0aacb | c:\Windows\win32dc\Sims 2 cdfix.exe |
9ad465eafd785e941a8f4dac4c1c3815 | c:\Windows\win32dc\Sims 2 cheat.exe |
279183c128ebf39c982a7abb8257bf6c | c:\Windows\win32dc\Sims 2_patch.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2388
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\Counter-Strike patch.exe (7971 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (15901 bytes)
C:\Windows\win32dc\Sims 2_patch.exe (10897 bytes)
C:\Windows\win32dc\DAoC_cdfix.exe (8555 bytes)
C:\Windows\win32dc\Half-Life 2(cdfix).exe (15901 bytes)
C:\Windows\win32dc\Sims 2_serial.exe (7971 bytes)
C:\Windows\win32dc\Doom 3 hack.exe (7971 bytes)
C:\Windows\win32dc\FlatOut(trainer).exe (7971 bytes)
C:\Windows\win32dc\Sims 2 cdfix.exe (8555 bytes)
C:\Windows\win32dc\Sims 2 cheat.exe (10897 bytes)
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
.tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
.reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
.rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2158
ef2d2eb0996329df1775d6f51f5b214a
fe5effff156ab62ca963488c6b45f910
ff905598c62bef010586bc69a75304ce
fe054287566194de1b0f1221826f7929
fd9ce1ecbf172d679ed863a6f17512df
fd1ad212cbee93591274251a3a856f8e
fc2dacfad86d623c79b312cf89aeb09f
fc2a040f0a41ea1cbc3c0018fd7b61cf
fa97b2f6651c7e7aed45ac9cbf639521
fa7e0cf7a6c7b7c1fe73331da267f9e2
f6e5cb71d2029dbe4a9d0d47a7a93129
f9d75297710cc6d397afc19f9895e53d
f98230005a0768555a95cbe06c3fd441
f8e1a0edd5c4261de6d65ca31bf6ae8d
f8c7ee3be4eee79c0f4519d5cb028492
f86d2014c349bd8b68cc0fab74612d2e
f7ee13e579c0ed4c5f058cfd0c7f5d36
f7b5319ab86561dd9cc211faac94f2c3
f2909e540ba2073c72a83beddef961d4
f0113ab5b220f2fcea57a9b353b195a1
f1866c35153dd9086a0515c7a9b007e1
f0f8aa800bf06a5f16ad5a5804958571
f67673ded5bab89f0a9b1f058fe73627
f66fa8319b3d1aea26c6e2eb5e2811b2
f645f395aa206f427b85df5f2f3c82a8
f578934f5791b6f3fcdd49d4f97dab07
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2388:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer