Trojan.Crypt.DW (BitDefender), Virus:Win32/Duel.A@mm (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), LooksLike.Win32.Malware!B (v) (VIPRE), Win32.XWorm.1 (DrWeb), Trojan.Crypt.DW (B) (Emsisoft), Generic-FAGI!A68BE1A696D2 (McAfee), W32.Mixor (Symantec), Email-Worm.Win32.Brontok (Ikarus), Trojan.Crypt.DW (FSecure), I-Worm/Luder.A (AVG), Win32:Sality (Avast), Mal_Xed-3 (TrendMicro), Trojan.Crypt.DW (AdAware), Virus.Win32.Duel.FD, GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Email-Worm, EmailWorm, Virus, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a68be1a696d205b0c7b9a698fabd8bb0
SHA1: 2ce75607cba984a5d7f3714220dac5883ea2b31c
SHA256: 45154c954edd9be4b5387d655840dfbd9df5904459e9c9a3c28e9931f890f9a3
SSDeep: 1536:/7weLt6EkI5YiMyM1/DWHLSzcig1lm1jW/nfIDVZbFr59s79uDN:/7hPYiMyUISzcvrFy3bz9soR
Size: 104448 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 1983-03-19 13:58:55
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Virus creates the following process(es):
dwwin.exe:560
%original file name%.exe:1796
The Virus injects its code into the following process(es):No processes have been created.
File activity
The process dwwin.exe:560 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AF58A.dmp (78368 bytes)
The process %original file name%.exe:1796 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ebd4_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjzbyjaya.yarzbyq.qjb (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rrrria.izj.aary (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\qjyzbzbyq.qjb (601 bytes)
%WinDir%\xwrm.exe (601 bytes)
Registry activity
The process dwwin.exe:560 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 09 44 14 C8 07 95 C2 47 93 21 63 21 42 37 0B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1796 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 B1 F3 89 41 5B 3D E4 60 CD F0 74 D3 93 B0 3C"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"
The Virus deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Virus deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
Dropped PE files
| MD5 | File path |
|---|---|
| dd99c13d3924847e1f6a020a51823297 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\qjyzbzbyq.qjb |
| dd99c13d3924847e1f6a020a51823297 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjzbyjaya.yarzbyq.qjb |
| dd99c13d3924847e1f6a020a51823297 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\rrrria.izj.aary |
| dd99c13d3924847e1f6a020a51823297 | c:\WINDOWS\xwrm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:560
%original file name%.exe:1796 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AF58A.dmp (78368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ebd4_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Templates\excel.xls (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjzbyjaya.yarzbyq.qjb (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rrrria.izj.aary (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\qjyzbzbyq.qjb (601 bytes)
%WinDir%\xwrm.exe (601 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| qajqrzqy | 4096 | 4096 | 1536 | 0.67347 | 6418f2ee81458cd079564c21ec5fed6c |
| jaaariza | 8192 | 32768 | 32256 | 4.40632 | 8e1304bec89f72985c236be4e75fabc8 |
| rrrziiir | 40960 | 4096 | 512 | 0.468013 | 03990ce32513f25d3855296b7bc8aa4d |
| rqyrabrr | 45056 | 4096 | 2048 | 3.92473 | 6481060bb77e469e5fdb95d8e5c6ab31 |
| ararqqjy | 49152 | 61440 | 61440 | 5.35896 | af1e1ae8ab12cd9118aa6656063eec94 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
%original file name%.exe_1796:
\xwrm.exe
\xwrm.exe
%WinDir%\xwrm.exe
%WinDir%\xwrm.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
USER %s 8 * :%s
USER %s 8 * :%s
NICK %s
NICK %s
PONG %s
PONG %s
JOIN #england
JOIN #england
PRIVMSG #england :.-:[X-Worm]:-.
PRIVMSG #england :.-:[X-Worm]:-.
irc.undernet.org
irc.undernet.org
MAIL FROM:<%s>
MAIL FROM:<%s>
RCPT TO:<%s>
RCPT TO:<%s>
--%s--
--%s--
From:<%s>
From:<%s>
To: %s
To: %s
Subject:%s
Subject:%s
boundary="%s"
boundary="%s"
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
charset="windows-1255"
charset="windows-1255"
name= "%s%s"
name= "%s%s"
Content-Disposition: attachment; filename="%s%s"
Content-Disposition: attachment; filename="%s%s"
Support
Support
No.reply
No.reply
8.txtt:
8.txtt:
8.htmt2
8.htmt2
8.rtft*
8.rtft*
8.doct"
8.doct"
8.bdxt
8.bdxt
8.phpt
8.phpt
8.jspt
8.jspt
8.cgit
8.cgit
smtp
smtp
ws2_32.dll
ws2_32.dll
ADVAPI32.DLL
ADVAPI32.DLL
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
User32.dll
User32.dll
excel.xls
excel.xls
ia Player.lnk
ia Player.lnk
Commander.lnk
Commander.lnk
8.exe
8.exe
8.scrtt
8.scrtt
8.avitJ
8.avitJ
8.doctB
8.doctB
8.mp3t:
8.mp3t:
8.mpgt2
8.mpgt2
8.xlst*
8.xlst*
8.jpgt"
8.jpgt"
8.zipt
8.zipt
8.isot
8.isot
8.pdft
8.pdft
8.pptt
8.pptt
8.rart
8.rart
c:\Documents and Settings\"%CurrentUserName%"\Templates\excel.xls
c:\Documents and Settings\"%CurrentUserName%"\Templates\excel.xls
indows Media Player.lnk
indows Media Player.lnk
or Repair Total Commander.lnk
or Repair Total Commander.lnk
34_all_incr.msp
34_all_incr.msp
5ed9567-aa58-4c8e-a8ea-3cad7c47ab03
5ed9567-aa58-4c8e-a8ea-3cad7c47ab03
SFC.DLL
SFC.DLL
WinExec
WinExec
yjzbyjaya.yar
yjzbyjaya.yar
c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjzbyjaya.yarzbyq.qjb
c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\yjzbyjaya.yarzbyq.qjb
ReadMe.exe
ReadMe.exe
c:\%original file name%.exe
c:\%original file name%.exe
dc1e038769a18baac8d80357541396.exe
dc1e038769a18baac8d80357541396.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rrrria.izj.aary
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rrrria.izj.aary
GetWindowsDirectoryA
GetWindowsDirectoryA
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
KERNEL32.dll
KERNEL32.dll
=Wy.Ef
=Wy.Ef
hV.DK
hV.DK
OCmDz
OCmDz
-riv%S
-riv%S
5j3.bs
5j3.bs
.Us)5
.Us)5
c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe