Dropped:Generic.Malware.Sdld.C425D330 (BitDefender), Trojan:Win32/Bagsu!rfn (Microsoft), Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Trojan.Win32.Luiha.bn (v) (VIPRE), Trojan.Siggen3.61286 (DrWeb), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Generic BackDoor.ww (McAfee), Backdoor.Trojan (Symantec), Trojan-Dropper.Delf (Ikarus), Dropped:Generic.Malware.Sdld.C425D330 (FSecure), BackDoor.Generic14.CFDD (AVG), Win32:IRCBot-EXE [Trj] (Avast), TROJ_GEN.R031C0CK216 (TrendMicro), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5241da871170d9dd6ba25a685bc1fbe5
SHA1: e84e892a1c78819edaeeeb50fe0226959e491aa9
SHA256: 93b27330ba3067d5ab3be57885aa7d8097db548f8cb4e533e9be8508e442bc3f
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvsI Wz7UKpz7PJT:IKgI9SGJpU8BQPL9CeVSoDgqmR WzRLT
Size: 1313439 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ??????????? ???????????, 2007-2009
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1672
The Dropped injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1672 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\Counter-Strike codes.exe (8907 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (16769 bytes)
C:\Windows\win32dc\Doom 3_fix.exe (11415 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (8281 bytes)
C:\Windows\win32dc\Silent Hill 4_hack.exe (8907 bytes)
C:\Windows\win32dc\Sims 2 cheat.exe (19302 bytes)
C:\Windows\win32dc\Silent Hill 4(hack).exe (19302 bytes)
C:\Windows\win32dc\Counter-Strike_codes.exe (11415 bytes)
C:\Windows\win32dc\Sims 2 serial.exe (19302 bytes)
C:\Windows\win32dc\BattleField 1942_trainer.exe (11415 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| de8daff5530345b5840f0ad11e2e2aee | c:\Windows\win32dc\BattleField 1942_trainer.exe |
| 98edfd274338588741192d43b5d4db2a | c:\Windows\win32dc\Counter-Strike codes.exe |
| 960519ab486cba95ff577f7af6abc2a9 | c:\Windows\win32dc\Counter-Strike_codes.exe |
| c5a2afb67653e9e3782a77b700069802 | c:\Windows\win32dc\Doom 3 crack.exe |
| 29747b2d53986f78d30c34c8f378f871 | c:\Windows\win32dc\Doom 3_fix.exe |
| c7b234b49f3c46a402569995fccb5abc | c:\Windows\win32dc\Silent Hill 4(hack).exe |
| ef34af0f10fefe98c4d1874b1f4e423f | c:\Windows\win32dc\Silent Hill 4_hack.exe |
| 9cd6b123f3aebba383bc844260d5d484 | c:\Windows\win32dc\Sims 2 cheat.exe |
| f554fa06f04069230b675825331d8ec7 | c:\Windows\win32dc\Sims 2 serial.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1672
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\Counter-Strike codes.exe (8907 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (16769 bytes)
C:\Windows\win32dc\Doom 3_fix.exe (11415 bytes)
C:\Windows\win32dc\Doom 3 crack.exe (8281 bytes)
C:\Windows\win32dc\Silent Hill 4_hack.exe (8907 bytes)
C:\Windows\win32dc\Sims 2 cheat.exe (19302 bytes)
C:\Windows\win32dc\Silent Hill 4(hack).exe (19302 bytes)
C:\Windows\win32dc\Counter-Strike_codes.exe (11415 bytes)
C:\Windows\win32dc\Sims 2 serial.exe (19302 bytes)
C:\Windows\win32dc\BattleField 1942_trainer.exe (11415 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
| DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
| BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
| .tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
| .reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
| .rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 882
ef2d2eb0996329df1775d6f51f5b214a
f740ff60d0ec233f7e955ede5e77fb83
fe0def9a55452507fdff638358d8a1ff
f4f5bba4d4f4086afbb878c2f541a7e0
f3aa4d1b4394101bf8d3dd967c20f3c3
ecfbd936a27de98dab895d92238b5b78
e6062045d1835907af3dd28ed4e13997
c82648bf52942ee83e639e5019c417e2
c050cd1b809541253ff88ee562eaa9f8
bfa30611ed105bbbaa4fcfda3554507c
bc4f499e10f6550c18eb2735e724e135
b653fa5261b9e7c496d436078e5a54e0
b64d60a1ef01cfe7f7954a2f84d923d3
9dc8f82010d6947f9eb4ca2ef89448c2
9d44bba5914e846bb87f0a768adebcb3
9d90741ff90c9a8c5503909f8f65edca
ad4cd03b5eaeff7c70e29a564f7fba2a
a567fd1311445aefe3897b924bde36cf
a1a2076501ac91abde0ceef2574d8f7e
9b2737ede92e073aa7c93aae769a2dcd
958f0a7ee5d4012536f27b118216e67e
90d2d6104645a20c41cc5565a5469bea
8ae0dbf986d8a093b90cf6e0d9dd064e
8765e4dc9a0f039a5c287ba7b2070b04
80410d3e36eba7f4c898207b506eebe9
7e79c96343b3a37db0259a0a695c593d
Network Activity
URLs
| URL | IP |
|---|---|
| irc.lcirc.net | 206.41.117.114 |
| time.windows.com | 13.80.12.54 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Dropped connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1672:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
PRIVMSG
PRIVMSG
JOIN
JOIN
login
login
PRIVMSG
PRIVMSG
:File Executed
:File Executed
(netbios_invalidpass:
(netbios_invalidpass:
File(%cur%\
File(%cur%\
File(%sys%\
File(%sys%\
rndnick
rndnick
NICK
NICK
join
join
%sys%\
%sys%\
%cur%\
%cur%\
%rnddir%\%rand%.exe
%rnddir%\%rand%.exe
system.ini
system.ini
explorer.exe
explorer.exe
.com "win2k" :
.com "win2k" :
DCPlusPlus.xml
DCPlusPlus.xml
dcplusplus.xml
dcplusplus.xml
%sys%
%sys%
%cur%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
netapi32.dll
%rnddir%\%rand%.com
%rnddir%\%rand%.com
irc.lcirc.net
irc.lcirc.net
kernel32.dll
kernel32.dll
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
mpr.dll
mpr.dll
wsock32.dll
wsock32.dll
shell32.dll
shell32.dll
ShellExecuteA
ShellExecuteA
wininet.dll
wininet.dll
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
KWindows
KWindows
&pWebServer
&pWebServer