Susp_Dropper (Kaspersky), MemScan:Backdoor.Agent.ZQA (B) (Emsisoft), MemScan:Backdoor.Agent.ZQA (AdAware), Virus.Win32.Duel.FD, GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)Behaviour: Backdoor, Worm, EmailWorm, Virus, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 457c1601c56514f7444d25190ab97b7a
SHA1: 1a76c597cb0fabd5e2df879d1c45c80fe2ace993
SHA256: 05fcc21f69109a0d406cffbb8500f4df8af0bff08c814bed7e6d248d66af7bee
SSDeep: 768:mJTn5C0uTWTZ4QKLPyjZXAeldtvZAQWIa0bMfE3IFOD:kTno0uTWCPDyjiwjZZ5doM3Ii
Size: 60929 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2036-10-27 02:43:20
Analyzed on: WindowsXP SP3 32-bit
Summary: Virus. A program that recursively replicates a possibly evolved copy of itself.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Virus creates the following process(es):
dwwin.exe:1276
%original file name%.exe:1176
The Virus injects its code into the following process(es):
jajbjrq.cmd:2044
File activity
The process dwwin.exe:1276 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\D082E.dmp (71707 bytes)
The process jajbjrq.cmd:2044 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%System%\WindowsUpdt.exe (19 bytes)
The process %original file name%.exe:1176 makes changes in the file system.
The Virus creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iiry.qab (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5a1_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (60 bytes)
Registry activity
The process dwwin.exe:1276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 15 AE D9 49 2B AE C0 01 EB 5C 22 6F CF DB D0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Virus deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process jajbjrq.cmd:2044 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D EA 14 F2 7F F0 69 AC 1F AC 7E 77 3C C1 9F 4D"
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"
The process %original file name%.exe:1176 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"
The Virus deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Virus deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
Dropped PE files
MD5 | File path |
---|---|
d727e39cf368348bc7c9dfff9d0b24bd | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\yjrrzi.iiry.qab |
aae37ad72f817dea8845ff32d16a8ba0 | c:\WINDOWS\system32\WindowsUpdt.exe |
d727e39cf368348bc7c9dfff9d0b24bd | c:\WINDOWS\xwrm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:1276
%original file name%.exe:1176 - Delete the original Virus file.
- Delete or disinfect the following files created/modified by the Virus:
%Documents and Settings%\%current user%\Local Settings\Temp\D082E.dmp (71707 bytes)
%System%\WindowsUpdt.exe (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iiry.qab (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5a1_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (60 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe" - Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
ibyqyajq | 4096 | 4096 | 1536 | 0.661358 | 3dba67c490ff0b1be143f6e28086124e |
iaqjjrrz | 8192 | 57344 | 55296 | 4.94106 | 16273c37f6628e83a549661044b8798a |
qyjaaari | 65536 | 4096 | 512 | 0.468013 | dd766bd3556eda6b66f2d7b6ec1b0e21 |
zarrrzii | 69632 | 4096 | 2048 | 4.10575 | 677f0a894d5ff2f6c088f025736ee3d8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
Strings from Dumps
%original file name%.exe_1176:
\xwrm.exe
\xwrm.exe
%WinDir%\xwrm.exe
%WinDir%\xwrm.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
USER %s 8 * :%s
USER %s 8 * :%s
NICK %s
NICK %s
PONG %s
PONG %s
JOIN #england
JOIN #england
PRIVMSG #england :.-:[X-Worm]:-.
PRIVMSG #england :.-:[X-Worm]:-.
irc.undernet.org
irc.undernet.org
MAIL FROM:<%s>
MAIL FROM:<%s>
RCPT TO:<%s>
RCPT TO:<%s>
--%s--
--%s--
From:<%s>
From:<%s>
To: %s
To: %s
Subject:%s
Subject:%s
boundary="%s"
boundary="%s"
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
charset="windows-1255"
charset="windows-1255"
name= "%s%s"
name= "%s%s"
Content-Disposition: attachment; filename="%s%s"
Content-Disposition: attachment; filename="%s%s"
Support
Support
No.reply
No.reply
8.txtt:
8.txtt:
8.htmt2
8.htmt2
8.rtft*
8.rtft*
8.doct"
8.doct"
8.bdxt
8.bdxt
8.phpt
8.phpt
8.jspt
8.jspt
8.cgit
8.cgit
smtp
smtp
ws2_32.dll
ws2_32.dll
ADVAPI32.DLL
ADVAPI32.DLL
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
User32.dll
User32.dll
fs_snap.exe
fs_snap.exe
arnsec.exe
arnsec.exe
ISABL~1.EXE
ISABL~1.EXE
8.exe
8.exe
8.scrtt
8.scrtt
8.avitJ
8.avitJ
8.doctB
8.doctB
8.mp3t:
8.mp3t:
8.mpgt2
8.mpgt2
8.xlst*
8.xlst*
8.jpgt"
8.jpgt"
8.zipt
8.zipt
8.isot
8.isot
8.pdft
8.pdft
8.pptt
8.pptt
8.rart
8.rart
D:\fs_snap.exe
D:\fs_snap.exe
SFC.DLL
SFC.DLL
Pqjzbqa.jqrr
Pqjzbqa.jqrr
D:\qjzbqa.jqrr
D:\qjzbqa.jqrr
ReadMe.exe
ReadMe.exe
c:\%original file name%.exe
c:\%original file name%.exe
35d.exe
35d.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\yjrrzi.iiry.qab
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\yjrrzi.iiry.qab
WinExec
WinExec
GetWindowsDirectoryA
GetWindowsDirectoryA
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
jajbjrq.cmd
jajbjrq.cmd
.text
.text
.rsrc
.rsrc
gu>%uM
gu>%uM
~nt.ex
~nt.ex
CrToMaPh
CrToMaPh
hPRIVMSG %s :
hPRIVMSG %s :
kernel32.dll
kernel32.dll
.%suld nb
.%suld nb
KERNEL32.dll
KERNEL32.dll
2'3.3`3}3
2'3.3`3}3
0M1e1w1}1-2x2
0M1e1w1}1-2x2
jajbjrq.cmd_2044:
.text
.text
.rsrc
.rsrc
\WindowsUpdt.exe
\WindowsUpdt.exe
irc.undernet.org
irc.undernet.org
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
url1.dat
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
PRIVMSG %s :%s Downloaded&executed
1.exe
1.exe
-!download_exe
-!download_exe
PRIVMSG %s :Login Success
PRIVMSG %s :Login Success
-!login
-!login
PRIVMSG
PRIVMSG
%*s %s %*s %s %s %s
%*s %s %*s %s %s %s
MODE %s nsk %s
MODE %s nsk %s
JOIN %s %s
JOIN %s %s
PONG %s
PONG %s
NICK %s
NICK %s
USER %s 8 * :%s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
1483959787
1483959787
D:\jajbjrq.cmd
D:\jajbjrq.cmd
kernel32.dll
kernel32.dll
.%suld nb
.%suld nb
jajbjrq.cmd_2044_rwx_00401000_0000F000:
\WindowsUpdt.exe
\WindowsUpdt.exe
irc.undernet.org
irc.undernet.org
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
WS2_32.dll
WS2_32.dll
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
url1.dat
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
PRIVMSG %s :%s Downloaded&executed
1.exe
1.exe
-!download_exe
-!download_exe
PRIVMSG %s :Login Success
PRIVMSG %s :Login Success
-!login
-!login
PRIVMSG
PRIVMSG
%*s %s %*s %s %s %s
%*s %s %*s %s %s %s
MODE %s nsk %s
MODE %s nsk %s
JOIN %s %s
JOIN %s %s
PONG %s
PONG %s
NICK %s
NICK %s
USER %s 8 * :%s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
1483959787
1483959787
D:\jajbjrq.cmd
D:\jajbjrq.cmd
kernel32.dll
kernel32.dll
.%suld nb
.%suld nb