Dropped.Generic.Malware.Sdld.C425D330_19463d31b4
Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 19463d31b440a2244dd63e55f022db4d
SHA1: 46f9a803b55758bd440c4a3378dbd2e6727af92f
SHA256: 2623000ae0e437eb51a3793995070be2ec26570717054ae83957a3674ec21b49
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1dUQuZuWc/U1mJvCipERWM3m:IKgI9SGJpU8BQPL9CeVMLZuB/PCtRWMW
Size: 1177842 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:2748
The Dropped injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:2748 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\UT2004 codes.exe (9324 bytes)
C:\Windows\win32dc\UT2004_nocd.exe (7547 bytes)
C:\Windows\win32dc\UT2004_hack.exe (7547 bytes)
C:\Windows\win32dc\UT2004 cdfix.exe (7547 bytes)
C:\Windows\win32dc\Quake3 patch.exe (12374 bytes)
C:\Windows\win32dc\FlatOut codes.exe (13822 bytes)
C:\Windows\win32dc\Doom 3 fix.exe (7547 bytes)
C:\Windows\win32dc\Counter-Strike_serial.exe (7901 bytes)
C:\Windows\win32dc\Doom 3 cdfix.exe (7547 bytes)
C:\Windows\win32dc\BattleField 1942 trainer.exe (7547 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 8c52358bfcd30034d89d38a30dd5265c | c:\Windows\win32dc\Counter-Strike_serial.exe |
| 21c1869fffb2f9d151be4d7165d8e19d | c:\Windows\win32dc\FlatOut codes.exe |
| d8515faaefd315dd3c26640020395033 | c:\Windows\win32dc\Quake3 patch.exe |
| 7fba671f2e207fd28e40b4aa750d6dad | c:\Windows\win32dc\UT2004 codes.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
| DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
| BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
| .tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
| .reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
| .rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2158
ef2d2eb0996329df1775d6f51f5b214a
fe5effff156ab62ca963488c6b45f910
ff905598c62bef010586bc69a75304ce
fe054287566194de1b0f1221826f7929
fd9ce1ecbf172d679ed863a6f17512df
fd1ad212cbee93591274251a3a856f8e
fc2dacfad86d623c79b312cf89aeb09f
fc2a040f0a41ea1cbc3c0018fd7b61cf
fa97b2f6651c7e7aed45ac9cbf639521
fa7e0cf7a6c7b7c1fe73331da267f9e2
f6e5cb71d2029dbe4a9d0d47a7a93129
f9d75297710cc6d397afc19f9895e53d
f98230005a0768555a95cbe06c3fd441
f8e1a0edd5c4261de6d65ca31bf6ae8d
f8c7ee3be4eee79c0f4519d5cb028492
f86d2014c349bd8b68cc0fab74612d2e
f7ee13e579c0ed4c5f058cfd0c7f5d36
f7b5319ab86561dd9cc211faac94f2c3
f2909e540ba2073c72a83beddef961d4
f0113ab5b220f2fcea57a9b353b195a1
f1866c35153dd9086a0515c7a9b007e1
f0f8aa800bf06a5f16ad5a5804958571
f67673ded5bab89f0a9b1f058fe73627
f66fa8319b3d1aea26c6e2eb5e2811b2
f645f395aa206f427b85df5f2f3c82a8
f578934f5791b6f3fcdd49d4f97dab07
URLs
| URL | IP |
|---|---|
| irc.lcirc.net |  206.41.117.114 |
| dns.msftncsi.com | 131.107.255.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
The Dropped connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:File Executed
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
irc.lcirc.net
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
mpr.dll
wsock32.dll
shell32.dll
ShellExecuteA
wininet.dll
URLMON.DLL
URLDownloadToFileA
KWindows
&pWebServer
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2748
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\UT2004 codes.exe (9324 bytes)
C:\Windows\win32dc\UT2004_nocd.exe (7547 bytes)
C:\Windows\win32dc\UT2004_hack.exe (7547 bytes)
C:\Windows\win32dc\UT2004 cdfix.exe (7547 bytes)
C:\Windows\win32dc\Quake3 patch.exe (12374 bytes)
C:\Windows\win32dc\FlatOut codes.exe (13822 bytes)
C:\Windows\win32dc\Doom 3 fix.exe (7547 bytes)
C:\Windows\win32dc\Counter-Strike_serial.exe (7901 bytes)
C:\Windows\win32dc\Doom 3 cdfix.exe (7547 bytes)
C:\Windows\win32dc\BattleField 1942 trainer.exe (7547 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
