Dropped.Generic.Malware.Sdld.C425D330_c96ecac13a
Trojan-Dropper.Win32.Sysn.cdcv (Kaspersky), Dropped:Generic.Malware.Sdld.C425D330 (B) (Emsisoft), Dropped:Generic.Malware.Sdld.C425D330 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, IRC-Worm, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: c96ecac13a6728b32e7fb84cf647fb7f
SHA1: 7b0d976b58e792d11eea74a7a8677779d2b278eb
SHA256: 91508c1f62bed51a01f2e5ea9ee462fe8aa779f02aa48bb39bb559b4b2b8ecea
SSDeep: 24576:/gFkg R9SDI5xJyyUACeB3gJxL9CC/XV/1VMvoDg3amvs8yZbqgW juec :IKgI9SGJpU8BQPL9CeVSoDgqmPyZbqgH
Size: 1300391 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Dropped creates the following process(es):
%original file name%.exe:1796
The Dropped injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1796 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):
C:\Windows\win32dc\BattleField 1942(nocd).exe (8571 bytes)
C:\Windows\win32dc\Half-Life 2_codes.exe (34646 bytes)
C:\Windows\win32dc\Sims 2(serial).exe (7971 bytes)
C:\Windows\win32dc\Quake3_fix.exe (16109 bytes)
C:\Windows\win32dc\Half-Life 2 serial.exe (7971 bytes)
C:\Windows\win32dc\Sims 2_crack.exe (7971 bytes)
C:\Windows\win32dc\Counter-Strike codes.exe (7971 bytes)
C:\Windows\win32dc\Quake3 cheat.exe (18537 bytes)
C:\Windows\win32dc\DAoC fix.exe (18537 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 5058c538da58e76fc5d8b21b0f521a88 | c:\Windows\win32dc\BattleField 1942(nocd).exe |
| e57820706fd12c70a82330ba8282bca0 | c:\Windows\win32dc\DAoC fix.exe |
| 52a42a40f8af9b81dadb6b390952a789 | c:\Windows\win32dc\Half-Life 2_codes.exe |
| 399ba5cb5b590c68ea3a778b9d0b429a | c:\Windows\win32dc\Quake3 cheat.exe |
| bd75cb9b57c637eaa02e54a0ad76c552 | c:\Windows\win32dc\Quake3_fix.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40592 | 40960 | 4.37354 | 4599c8e48266467f9472d9c0076da0aa |
| DATA | 45056 | 416 | 512 | 2.59038 | 6723f313105be59e8f34015bac1ef0c6 |
| BSS | 49152 | 4493 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 57344 | 2332 | 2560 | 2.95832 | 1f3c6fef94d61a4d2beebca25d327785 |
| .tls | 61440 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 65536 | 24 | 512 | 0.129329 | bf98d008e3e41c32258f4ddad0423dfc |
| .reloc | 69632 | 2396 | 2560 | 4.48773 | c247e5d4f27055db8d87da84767714bb |
| .rsrc | 73728 | 1536 | 1536 | 2.62048 | b115dc78febf3048a6accb9f8efeb1de |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2202
ef2d2eb0996329df1775d6f51f5b214a
0247ffacc242c9c894fbf4602d1119db
fc10bf789350f92a2f5096af493be71c
f07659644a1b94f44e5be40693fabb81
ec93b9532a23173ff8957cdcaea0e1ea
e3168e47048a685e966daf117d3e96bd
e1a24e76236bcb7700c9522a49418ecc
ca2083ba2967d3c6e5f09c4da25ed6ba
7af6cb79e4bbe96b65f7d9c826d14339
4cdaf8a89099a35e0404b4e77a15fc3c
204ca1d18e1203518972221742ac65f9
0e61c160a9616336d6af5dbea2e946d3
09447791ef9b704401683afb98e19154
081f26ed6e1bdd222664dc7c00b356c0
da8ede551b5e2b1786a88dd5ea783b96
fa718cee99caa7ded0db41592ebf7a67
e922a769fe7ad0e19e42c65b311ea6b3
ceb082fe53d615709efd38debee15f3a
c51bbf5ad597f0fc6b5772bfef556e76
8dbf9c23a207bf486a0d0892681728a6
8c186dcb8593e1c4dc469b2c2f2b4b74
896f1994684a01c251361617a5dd6cbe
76e344ea280f0036d4b180a5f1d7eef8
e20f21fadc5cfc7baba72a248b47a462
b68d59ebc3cb5470808294307d8c906e
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Dropped connects to the servers at the folowing location(s):
.idata
.rdata
P.reloc
P.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:File Executed
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
irc.lcirc.net
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
mpr.dll
wsock32.dll
shell32.dll
ShellExecuteA
wininet.dll
URLMON.DLL
URLDownloadToFileA
KWindows
&pWebServer
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1796
- Delete the original Dropped file.
- Delete or disinfect the following files created/modified by the Dropped:
C:\Windows\win32dc\BattleField 1942(nocd).exe (8571 bytes)
C:\Windows\win32dc\Half-Life 2_codes.exe (34646 bytes)
C:\Windows\win32dc\Sims 2(serial).exe (7971 bytes)
C:\Windows\win32dc\Quake3_fix.exe (16109 bytes)
C:\Windows\win32dc\Half-Life 2 serial.exe (7971 bytes)
C:\Windows\win32dc\Sims 2_crack.exe (7971 bytes)
C:\Windows\win32dc\Counter-Strike codes.exe (7971 bytes)
C:\Windows\win32dc\Quake3 cheat.exe (18537 bytes)
C:\Windows\win32dc\DAoC fix.exe (18537 bytes)
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
