Dropped.Generic.Malware.Sdld.C425D330_0e0d16fad0

by malwarelabrobot on November 9th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0e0d16fad0165ca0378566e8707fcebe
SHA1: f6784d4ccbb3c9483ca0e0d6c5c3fc988136c879
SHA256: 81f69dc1bdb6a242d2998c600b7cb2b35653327cdc9faafad97956972ea0cf7b
SSDeep: 24576:/gFkg R9SDI5xJyTzgLqZQg2v58fdCUO/A5d7okvyhZHfsQ T:IKgI9SGJGcLmE8f0UO/W7vyhZHfsD
Size: 1166208 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Dropped creates the following process(es):

%original file name%.exe:1264

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\BattleField 1942 patch.exe (10715 bytes)
C:\Windows\win32dc\FlatOut_trainer.exe (7547 bytes)
C:\Windows\win32dc\BattleField 1942_codes.exe (12062 bytes)
C:\Windows\win32dc\BattleField 1942 hack.exe (13417 bytes)
C:\Windows\win32dc\BattleField 1942(crack).exe (7547 bytes)
C:\Windows\win32dc\UT2004 crack.exe (7547 bytes)
C:\Windows\win32dc\UT2004_cheat.exe (9209 bytes)
C:\Windows\win32dc\Counter-Strike(cdfix).exe (7879 bytes)
C:\Windows\win32dc\UT2004_fix.exe (9209 bytes)
C:\Windows\win32dc\Half-Life 2(cheat).exe (7879 bytes)

Registry activity

Dropped PE files

MD5 File path
86cbcea4fd73fc77207c128a1af562d6 c:\Windows\win32dc\BattleField 1942 hack.exe
61da762fc70454e71f6b5726ae3fdf67 c:\Windows\win32dc\BattleField 1942 patch.exe
501d40e0bed20ac24d3ff5dcc658eccd c:\Windows\win32dc\BattleField 1942_codes.exe
47ec4f1e3ef3a3988c06d858f2d2c320 c:\Windows\win32dc\Counter-Strike(cdfix).exe
f2bdc0b710374b70f2b50e897dae1832 c:\Windows\win32dc\Half-Life 2(cheat).exe
7536fc6cdbc101eb520a3102e9d90e1c c:\Windows\win32dc\UT2004_cheat.exe
8466dfdd522d2d7cceb71f142e61da5b c:\Windows\win32dc\UT2004_fix.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40592 40960 4.37354 4599c8e48266467f9472d9c0076da0aa
DATA 45056 416 512 2.59038 6723f313105be59e8f34015bac1ef0c6
BSS 49152 4493 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 57344 2332 2560 2.95832 1f3c6fef94d61a4d2beebca25d327785
.tls 61440 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 65536 24 512 0.129329 bf98d008e3e41c32258f4ddad0423dfc
.reloc 69632 2396 2560 4.48773 c247e5d4f27055db8d87da84767714bb
.rsrc 73728 1536 1536 2.62048 b115dc78febf3048a6accb9f8efeb1de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 876
ef2d2eb0996329df1775d6f51f5b214a
c82648bf52942ee83e639e5019c417e2
c050cd1b809541253ff88ee562eaa9f8
bfa30611ed105bbbaa4fcfda3554507c
bc4f499e10f6550c18eb2735e724e135
b653fa5261b9e7c496d436078e5a54e0
b64d60a1ef01cfe7f7954a2f84d923d3
9dc8f82010d6947f9eb4ca2ef89448c2
9d44bba5914e846bb87f0a768adebcb3
9d90741ff90c9a8c5503909f8f65edca
ad4cd03b5eaeff7c70e29a564f7fba2a
a567fd1311445aefe3897b924bde36cf
a1a2076501ac91abde0ceef2574d8f7e
9b2737ede92e073aa7c93aae769a2dcd
958f0a7ee5d4012536f27b118216e67e
90d2d6104645a20c41cc5565a5469bea
8ae0dbf986d8a093b90cf6e0d9dd064e
8765e4dc9a0f039a5c287ba7b2070b04
80410d3e36eba7f4c898207b506eebe9
7e79c96343b3a37db0259a0a695c593d
7a043ced5f1ebd82c9919e26de946050
76f5b19382d5976bbaa310187a1238d9
765e820804b540f6c9ea15a6ef732d42
73ff99b2642a544f24f271544617677f
6bbdeaae367fd0b7abe1713dbb9d6539
67f36fe2d9778626716570cfc3ac68bc

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Dropped connects to the servers at the folowing location(s):

%original file name%.exe_1264:

.idata
.rdata
P.reloc
P.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:File Executed
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
irc.lcirc.net
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
mpr.dll
wsock32.dll
shell32.dll
ShellExecuteA
wininet.dll
URLMON.DLL
URLDownloadToFileA
KWindows
&pWebServer


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1264

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    C:\Windows\win32dc\BattleField 1942 patch.exe (10715 bytes)
    C:\Windows\win32dc\FlatOut_trainer.exe (7547 bytes)
    C:\Windows\win32dc\BattleField 1942_codes.exe (12062 bytes)
    C:\Windows\win32dc\BattleField 1942 hack.exe (13417 bytes)
    C:\Windows\win32dc\BattleField 1942(crack).exe (7547 bytes)
    C:\Windows\win32dc\UT2004 crack.exe (7547 bytes)
    C:\Windows\win32dc\UT2004_cheat.exe (9209 bytes)
    C:\Windows\win32dc\Counter-Strike(cdfix).exe (7879 bytes)
    C:\Windows\win32dc\UT2004_fix.exe (9209 bytes)
    C:\Windows\win32dc\Half-Life 2(cheat).exe (7879 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now