Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 39616b14731ccbded5730d882fc769b5
SHA1: ff55c534bf25f2715a5605afcb79dce4dc8ee45d
SHA256: 436ffa028016251ed0882efc88b68fbb81749d4407cb220914c3bc6d17d78524
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1FHA0dVZcn:IKgI9SGJpU8BQPL9CeVk0Zcn
Size: 950828 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1480
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1480 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\Silent Hill 4(patch).exe (8953 bytes)
C:\Windows\win32dc\BattleField 1942 cheat.exe (7345 bytes)
C:\Windows\win32dc\Silent Hill 4(codes).exe (7345 bytes)
C:\Windows\win32dc\Half-Life 2(nocd).exe (7345 bytes)
C:\Windows\win32dc\Counter-Strike_trainer.exe (7345 bytes)
C:\Windows\win32dc\DAoC(hack).exe (25525 bytes)
C:\Windows\win32dc\Half-Life 2_hack.exe (7345 bytes)
C:\Windows\win32dc\Quake3 trainer.exe (7345 bytes)
C:\Windows\win32dc\Sims 2 patch.exe (12993 bytes)
C:\Windows\win32dc\UT2004 trainer.exe (12993 bytes)
Registry activity
Dropped PE files
MD5 | File path |
---|---|
9de512c8216acb8683ab7807af1d0fbf | c:\Windows\win32dc\DAoC(hack).exe |
1261dc0c0ebaa365225af1272769d36f | c:\Windows\win32dc\Silent Hill 4(patch).exe |
928bb8d08e88ad68784cf69b827fadce | c:\Windows\win32dc\Sims 2 patch.exe |
5c84f09b197e1961d52e14092e03927a | c:\Windows\win32dc\UT2004 trainer.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1480
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\Silent Hill 4(patch).exe (8953 bytes)
C:\Windows\win32dc\BattleField 1942 cheat.exe (7345 bytes)
C:\Windows\win32dc\Silent Hill 4(codes).exe (7345 bytes)
C:\Windows\win32dc\Half-Life 2(nocd).exe (7345 bytes)
C:\Windows\win32dc\Counter-Strike_trainer.exe (7345 bytes)
C:\Windows\win32dc\DAoC(hack).exe (25525 bytes)
C:\Windows\win32dc\Half-Life 2_hack.exe (7345 bytes)
C:\Windows\win32dc\Quake3 trainer.exe (7345 bytes)
C:\Windows\win32dc\Sims 2 patch.exe (12993 bytes)
C:\Windows\win32dc\UT2004 trainer.exe (12993 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
.tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
.reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
.rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 967
ef2d2eb0996329df1775d6f51f5b214a
0d6fa406363c05c16ae6e1af0ce12c0a
03c781a6965f6b1b25fa895800b1b1e5
0197fcc9bb2f87d7c64ddf7b16f9aceb
ffbf5ca43e7f00e563bd40aba26485b8
fe4258c6e6f4e6e86f3f5fa18720c98f
fb7111c8b178d3fc398f87e375f2575c
f8a5d2ab9aa7ea718fa81a43b4d8962d
f8067216f917b5adc5a343562c43d8ff
f02d5b794b5e76952082317006b117ba
f726af446230c20ad1584fdbd907bb84
f6038034176213e4a3625f206f70d150
f54b65acaa79d05ebf0251a97634c9b3
f4ddca27d900f748616577af83cf73c6
e929d45d6a2f2a49a2979ce9089ae7e3
e521c29d51fc9df2c357e13c4b964a52
e3cd31d804be2b2634e8a8f0f57b6fc7
da70d6916a2844b007a84f6e6ca6b137
d8ae2f723b706af5b0fe92e6cbd842ca
d6ca306f597ab0b9668568f7e7fd077a
d668564cb93ba6bede5f5300bcfae4b1
d646734a392c58500ed667a8881ba2d2
cee9805f07ed037c31103eb617c78a9d
cedd7b56e3da809017c21ca038ddc0dd
cdedb27e16887f4bf47ebc048887dfa2
c4b21001f3ecb9fa868fa38f74766074
Network Activity
URLs
URL | IP |
---|---|
irc.lcirc.net | 206.41.117.114 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1480:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer