Virus.Win32.Duel_457c1601c5 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Virus creates the following process(es):

dwwin.exe:1276
%original file name%.exe:1176

The Virus injects its code into the following process(es):

jajbjrq.cmd:2044

File activity

The process dwwin.exe:1276 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\D082E.dmp (71707 bytes)

The process jajbjrq.cmd:2044 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%System%\WindowsUpdt.exe (19 bytes)

The process %original file name%.exe:1176 makes changes in the file system.

The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iiry.qab (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5a1_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (60 bytes)

Registry activity

The process dwwin.exe:1276 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 15 AE D9 49 2B AE C0 01 EB 5C 22 6F CF DB D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process jajbjrq.cmd:2044 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D EA 14 F2 7F F0 69 AC 1F AC 7E 77 3C C1 9F 4D"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

The process %original file name%.exe:1176 makes changes in the system registry.

The Virus creates and/or sets the following values in system registry:

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The Virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

MD5	File path
d727e39cf368348bc7c9dfff9d0b24bd	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\yjrrzi.iiry.qab
aae37ad72f817dea8845ff32d16a8ba0	c:\WINDOWS\system32\WindowsUpdt.exe
d727e39cf368348bc7c9dfff9d0b24bd	c:\WINDOWS\xwrm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1276
%original file name%.exe:1176
Delete the original Virus file.
Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temp\D082E.dmp (71707 bytes)
%System%\WindowsUpdt.exe (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iiry.qab (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5a1_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (60 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
ibyqyajq	4096	4096	1536	0.661358	3dba67c490ff0b1be143f6e28086124e
iaqjjrrz	8192	57344	55296	4.94106	16273c37f6628e83a549661044b8798a
qyjaaari	65536	4096	512	0.468013	dd766bd3556eda6b66f2d7b6ec1b0e21
zarrrzii	69632	4096	2048	4.10575	677f0a894d5ff2f6c088f025736ee3d8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

Strings from Dumps

%original file name%.exe_1176:

\xwrm.exe

%WinDir%\xwrm.exe

Software\Microsoft\Windows\CurrentVersion\Run

USER %s 8 * :%s

NICK %s

PONG %s

JOIN #england

PRIVMSG #england :.-:[X-Worm]:-.

irc.undernet.org

MAIL FROM:<%s>

RCPT TO:<%s>

--%s--

From:<%s>

To: %s

Subject:%s

boundary="%s"

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

charset="windows-1255"

name= "%s%s"

Content-Disposition: attachment; filename="%s%s"

Support

No.reply

8.txtt:

8.htmt2

8.rtft*

8.doct"

8.bdxt

8.phpt

8.jspt

8.cgit

smtp

ws2_32.dll

ADVAPI32.DLL

RegOpenKeyExA

RegCloseKey

User32.dll

fs_snap.exe

arnsec.exe

ISABL~1.EXE

8.exe

8.scrtt

8.avitJ

8.doctB

8.mp3t:

8.mpgt2

8.xlst*

8.jpgt"

8.zipt

8.isot

8.pdft

8.pptt

8.rart

D:\fs_snap.exe

SFC.DLL

Pqjzbqa.jqrr

D:\qjzbqa.jqrr

ReadMe.exe

c:\%original file name%.exe

35d.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\yjrrzi.iiry.qab

WinExec

GetWindowsDirectoryA

FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj

jajbjrq.cmd

.text

.rsrc

gu>%uM

~nt.ex

CrToMaPh

hPRIVMSG %s :

kernel32.dll

.%suld nb

KERNEL32.dll

2'3.3`3}3

0M1e1w1}1-2x2

jajbjrq.cmd_2044:

.text

.rsrc

\WindowsUpdt.exe

irc.undernet.org

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

GetCPInfo

url1.dat

PRIVMSG %s :Operations Stoped

PRIVMSG %s :Wasting %s

PRIVMSG %s :Udp Floding %s

-!udp_flood

PRIVMSG %s :%s Downloaded&executed

1.exe

-!download_exe

PRIVMSG %s :Login Success

-!login

PRIVMSG

%*s %s %*s %s %s %s

MODE %s nsk %s

JOIN %s %s

PONG %s

NICK %s

USER %s 8 * :%s

Software\Microsoft\Windows\CurrentVersion\Run

1483959787

D:\jajbjrq.cmd

kernel32.dll

.%suld nb

jajbjrq.cmd_2044_rwx_00401000_0000F000:

\WindowsUpdt.exe

irc.undernet.org

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

WS2_32.dll

InternetOpenUrlA

WININET.dll

GetCPInfo

url1.dat

PRIVMSG %s :Operations Stoped

PRIVMSG %s :Wasting %s

PRIVMSG %s :Udp Floding %s

-!udp_flood

PRIVMSG %s :%s Downloaded&executed

1.exe

-!download_exe

PRIVMSG %s :Login Success

-!login

PRIVMSG

%*s %s %*s %s %s %s

MODE %s nsk %s

JOIN %s %s

PONG %s

NICK %s

USER %s 8 * :%s

Software\Microsoft\Windows\CurrentVersion\Run

1483959787

D:\jajbjrq.cmd

kernel32.dll

.%suld nb

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps