Dropped.Generic.Malware.Sdld.C425D330_4b7def6cf0

by malwarelabrobot on November 15th, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b7def6cf0a77c9d7f21227e588fd5d4
SHA1: 339216824034caa13ae4d88c3d29f1380dc5ac15
SHA256: 1fc6eace21744b56c34f43be44681a471a96830ce3a824414b15d2cf4a5bfe8a
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvsI Wz7UKpz7PJXqzs:IKgI9SGJpU8BQPL9CeVSoDgqmR WzRLt
Size: 1426946 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Bandoo Media Inc.
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Dropped creates the following process(es):

%original file name%.exe:1964

The Dropped injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1964 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\Windows\win32dc\Quake3(cdfix).exe (8657 bytes)
C:\Windows\win32dc\FlatOut nocd.exe (23652 bytes)
C:\Windows\win32dc\Silent Hill 4 fix.exe (8657 bytes)
C:\Windows\win32dc\UT2004(crack).exe (16349 bytes)
C:\Windows\win32dc\Doom 3(cheat).exe (16349 bytes)
C:\Windows\win32dc\FlatOut codes.exe (20211 bytes)
C:\Windows\win32dc\Doom 3 trainer.exe (16349 bytes)
C:\Windows\win32dc\Counter-Strike patch.exe (8657 bytes)
C:\Windows\win32dc\Half-Life 2 trainer.exe (8657 bytes)
C:\Windows\win32dc\Silent Hill 4 crack.exe (9509 bytes)

Registry activity

Dropped PE files

MD5 File path
d6ad7dc5d7114a44f1eb01a6f7d87ea9 c:\Windows\win32dc\Doom 3 trainer.exe
29c1d40535f37db5e31bda4078345001 c:\Windows\win32dc\Doom 3(cheat).exe
087bc2084b950d9c2222a81e94bde716 c:\Windows\win32dc\FlatOut codes.exe
652edd7f3e7b98edde9b1d0d532abd98 c:\Windows\win32dc\FlatOut nocd.exe
8a59570675cf044a67d6a02fbcb422f6 c:\Windows\win32dc\Silent Hill 4 crack.exe
a30681e846579ac6bc2e96dc9422c4ea c:\Windows\win32dc\UT2004(crack).exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40592 40960 4.37354 4599c8e48266467f9472d9c0076da0aa
DATA 45056 416 512 2.59038 6723f313105be59e8f34015bac1ef0c6
BSS 49152 4493 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 57344 2332 2560 2.95832 1f3c6fef94d61a4d2beebca25d327785
.tls 61440 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 65536 24 512 0.129329 bf98d008e3e41c32258f4ddad0423dfc
.reloc 69632 2396 2560 4.48773 c247e5d4f27055db8d87da84767714bb
.rsrc 73728 1536 1536 2.62048 b115dc78febf3048a6accb9f8efeb1de

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1310
ef2d2eb0996329df1775d6f51f5b214a
9190f365b74a3aad5899e7cd64777955
8fc2c72e75293fb05da6a7621bbcb61e
88faf4c963a7ecdbd027e438035e7b7a
8439e7b0ee965ff14a181d730e978313
824e12bf73182f1e182778ae693f63c6
82b2087e0f5abc8e43300f8c6d7f905d
81d04280066d36345a88fe452f16800e
7edc03e629c9b45b51d14a33a3105099
7dce1160314464146b59236c2ab36e85
7a87b757dc75ccf58d156f31129b0c74
7804ebe22cfc3908060a22dc27eace9c
78e1af81752aa2027c81dace04fb7527
75c8e8520a63581c7d723be4ce5f6836
72d6b66b7014eb0a9d3a02836b191183
7200ab2d0786da6f30a7182d22ed54e5
6f9dc96aaf2be1de4e75532fd97cf480
69d47abc9332ae7635c77b5053a55f11
69c1412d222f14555dc1fe7fcf07f7ed
68f0cdd734f96e63d2308fd805ae0e6d
6402e5224c5f93a3c81cd9be4670ddb8
62cb8a80636078c164510f1911e5422e
617c07922f7ca78ffdb6edbc4244cb0b
5df56471381b1e600da2904c8ae5281e
5953dd60b70c2353bdeeb682edd13513
556def153405c3349fe982baa82bc654

URLs

URL IP
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Dropped connects to the servers at the folowing location(s):

%original file name%.exe_1964:

.idata
.rdata
P.reloc
P.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:File Executed
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
irc.lcirc.net
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
mpr.dll
wsock32.dll
shell32.dll
ShellExecuteA
wininet.dll
URLMON.DLL
URLDownloadToFileA
KWindows
&pWebServer


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1964

  2. Delete the original Dropped file.
  3. Delete or disinfect the following files created/modified by the Dropped:

    C:\Windows\win32dc\Quake3(cdfix).exe (8657 bytes)
    C:\Windows\win32dc\FlatOut nocd.exe (23652 bytes)
    C:\Windows\win32dc\Silent Hill 4 fix.exe (8657 bytes)
    C:\Windows\win32dc\UT2004(crack).exe (16349 bytes)
    C:\Windows\win32dc\Doom 3(cheat).exe (16349 bytes)
    C:\Windows\win32dc\FlatOut codes.exe (20211 bytes)
    C:\Windows\win32dc\Doom 3 trainer.exe (16349 bytes)
    C:\Windows\win32dc\Counter-Strike patch.exe (8657 bytes)
    C:\Windows\win32dc\Half-Life 2 trainer.exe (8657 bytes)
    C:\Windows\win32dc\Silent Hill 4 crack.exe (9509 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now