Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4b7def6cf0a77c9d7f21227e588fd5d4
SHA1: 339216824034caa13ae4d88c3d29f1380dc5ac15
SHA256: 1fc6eace21744b56c34f43be44681a471a96830ce3a824414b15d2cf4a5bfe8a
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvsI Wz7UKpz7PJXqzs:IKgI9SGJpU8BQPL9CeVSoDgqmR WzRLt
Size: 1426946 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Bandoo Media Inc.
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1964
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1964 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\Quake3(cdfix).exe (8657 bytes)
C:\Windows\win32dc\FlatOut nocd.exe (23652 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (8657 bytes)
C:\Windows\win32dc\UT2004(crack).exe (16349 bytes)
C:\Windows\win32dc\Doom 3(cheat).exe (16349 bytes)
C:\Windows\win32dc\FlatOut codes.exe (20211 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (16349 bytes)
C:\Windows\win32dc\Counter-Strike patch.exe (8657 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (8657 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9509 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| d6ad7dc5d7114a44f1eb01a6f7d87ea9 | c:\Windows\win32dc\Doom 3 trainer.exe |
| 29c1d40535f37db5e31bda4078345001 | c:\Windows\win32dc\Doom 3(cheat).exe |
| 087bc2084b950d9c2222a81e94bde716 | c:\Windows\win32dc\FlatOut codes.exe |
| 652edd7f3e7b98edde9b1d0d532abd98 | c:\Windows\win32dc\FlatOut nocd.exe |
| 8a59570675cf044a67d6a02fbcb422f6 | c:\Windows\win32dc\Silent Hill 4 crack.exe |
| a30681e846579ac6bc2e96dc9422c4ea | c:\Windows\win32dc\UT2004(crack).exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1964
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\Quake3(cdfix).exe (8657 bytes)
C:\Windows\win32dc\FlatOut nocd.exe (23652 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (8657 bytes)
C:\Windows\win32dc\UT2004(crack).exe (16349 bytes)
C:\Windows\win32dc\Doom 3(cheat).exe (16349 bytes)
C:\Windows\win32dc\FlatOut codes.exe (20211 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (16349 bytes)
C:\Windows\win32dc\Counter-Strike patch.exe (8657 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (8657 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9509 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
| DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
| BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
| .tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
| .reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
| .rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1310
ef2d2eb0996329df1775d6f51f5b214a
9190f365b74a3aad5899e7cd64777955
8fc2c72e75293fb05da6a7621bbcb61e
88faf4c963a7ecdbd027e438035e7b7a
8439e7b0ee965ff14a181d730e978313
824e12bf73182f1e182778ae693f63c6
82b2087e0f5abc8e43300f8c6d7f905d
81d04280066d36345a88fe452f16800e
7edc03e629c9b45b51d14a33a3105099
7dce1160314464146b59236c2ab36e85
7a87b757dc75ccf58d156f31129b0c74
7804ebe22cfc3908060a22dc27eace9c
78e1af81752aa2027c81dace04fb7527
75c8e8520a63581c7d723be4ce5f6836
72d6b66b7014eb0a9d3a02836b191183
7200ab2d0786da6f30a7182d22ed54e5
6f9dc96aaf2be1de4e75532fd97cf480
69d47abc9332ae7635c77b5053a55f11
69c1412d222f14555dc1fe7fcf07f7ed
68f0cdd734f96e63d2308fd805ae0e6d
6402e5224c5f93a3c81cd9be4670ddb8
62cb8a80636078c164510f1911e5422e
617c07922f7ca78ffdb6edbc4244cb0b
5df56471381b1e600da2904c8ae5281e
5953dd60b70c2353bdeeb682edd13513
556def153405c3349fe982baa82bc654
Network Activity
URLs
| URL | IP |
|---|---|
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1964:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer