GenPack.Generic.Malware.Sdld.1518CA4F_c77c898114

by malwarelabrobot on January 26th, 2017 in Malware Descriptions.

HEUR:Packed.Win32.Upantix.gen (Kaspersky), GenPack:Generic.Malware.Sdld.1518CA4F (B) (Emsisoft), GenPack:Generic.Malware.Sdld.1518CA4F (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c77c898114c383dfa51013e011a953f5
SHA1: 31a222f4187246972458ae59c4dd59bcdd55b4a6
SHA256: b494047d8dc235a8cb4aa7ab30cff6ba2b38fe24396faa477c317e9986ef0d86
SSDeep: 3072:m22222C8vvv3XXXtRutxwwwIo3hh1DQAAlrw1ac/2doA8wbzj:m22222CyXXXy9odDQnJIU/8g
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The GenPack creates the following process(es):
No processes have been created.
The GenPack injects its code into the following process(es):

%original file name%.exe:1792

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):

C:\Windows\win32dc\Half-Life 2_cdfix.exe (14311 bytes)
C:\Windows\win32dc\Half-Life 2 cheat.exe (10879 bytes)
C:\Windows\win32dc\FlatOut codes.exe (2533 bytes)
C:\Windows\win32dc\Half-Life 2(fix).exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4_nocd.exe (6639 bytes)
C:\Windows\win32dc\UT2004 fix.exe (6639 bytes)
C:\Windows\win32dc\Sims 2_codes.exe (6639 bytes)
C:\Windows\win32dc\Sims 2 hack.exe (14311 bytes)
C:\Windows\win32dc\Doom 3(fix).exe (673 bytes)
C:\Windows\win32dc\DAoC_hack.exe (14311 bytes)

Registry activity

Dropped PE files

MD5 File path
14adccde406dc5dcc07b1e3d0453ab94 c:\Windows\win32dc\DAoC_hack.exe
bd97851c140c0fad6eb948c2bbc560ba c:\Windows\win32dc\FlatOut codes.exe
bb1fbf5b9e25da5bd217a6f147adffd4 c:\Windows\win32dc\Half-Life 2 cheat.exe
82bd97959466f2b7cb6fa1bf354d6242 c:\Windows\win32dc\Half-Life 2_cdfix.exe
42c1796183e048c8ea91eb07cf5aea90 c:\Windows\win32dc\Silent Hill 4_nocd.exe
1504f1953f5e68b731e29eb3044d1b47 c:\Windows\win32dc\Sims 2 hack.exe
a6a6026a5f5b0ffce5d869a72b73b746 c:\Windows\win32dc\Sims 2_codes.exe
51be7173ae71676016da910942c8f32d c:\Windows\win32dc\UT2004 fix.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 57344 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 61440 77824 76288 5.5233 8ae8eef372fda48ddcdd1ecf9efd86dc
.rsrc 139264 4096 2048 2.63797 b5916a1f63e299e8c8a487a2ccfe581b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 21
230ed1c21cbae21f07db8f781738f973
d3e94c42aac122061e8205f35a8a5dd1
5ee473440db5ac6c337bb3989aee01e3
e1a4565d944845da6f92a31367a715f3
9445a7b3fb7c75d7bdb73dfad70c1749
5f37a9a96fd4084d4339510879ce4afc
b2a43ece6ac085c69550eb765769dc93
af1a4f0deba32932d8ed2d3ef3eb211b
712671e9c79183925c4cd8d7bd2ea550
d0b912ba9ec6474e85f3f475346c5d27
bc17624bec254ba0fc8f983ba19dc419
d607cc8133dcdf89f65b53b7b629d36c
c69de3b8d2b5bd41655035420cb55849
79a3f6debdd098fb226a9864d375266b
1bb0d1e9cafce8769a91a34af7ccf6b2
d02b6567536ab781d2f34ffb9d14985e
b8e0aed539144b220cfe090d16ead1ce
96d9fb85c51af138adea8e5a509785cb
7ccfae4cdaba8496f85cd0ceb7037237
6f57c513dc86cfb2865c5129e7ed3ed7
44805a7339d3fcc523970ed551ee05c8

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CHAT IRC PONG response
ET CHAT IRC NICK command
ET CHAT IRC PING command

Traffic

Web Traffic was not found.

The GenPack connects to the servers at the folowing location(s):

%original file name%.exe_1792:

`.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
.UnT)
&pWebServ
URL!w
_%'(2($3
4-%7x[
#"%$'&)( *-,/.1]
KERNEL32.DLL
advapi32.dll
mpr.dll
oleaut32.dll
shell32.dll
URLMON.DLL
user32.dll
wininet.dll
wsock32.dll

%original file name%.exe_1792_rwx_00401000_00014000:

PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
.UnT)
&pWebServ
URL!w


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original GenPack file.
  3. Delete or disinfect the following files created/modified by the GenPack:

    C:\Windows\win32dc\Half-Life 2_cdfix.exe (14311 bytes)
    C:\Windows\win32dc\Half-Life 2 cheat.exe (10879 bytes)
    C:\Windows\win32dc\FlatOut codes.exe (2533 bytes)
    C:\Windows\win32dc\Half-Life 2(fix).exe (673 bytes)
    C:\Windows\win32dc\Silent Hill 4_nocd.exe (6639 bytes)
    C:\Windows\win32dc\UT2004 fix.exe (6639 bytes)
    C:\Windows\win32dc\Sims 2_codes.exe (6639 bytes)
    C:\Windows\win32dc\Sims 2 hack.exe (14311 bytes)
    C:\Windows\win32dc\Doom 3(fix).exe (673 bytes)
    C:\Windows\win32dc\DAoC_hack.exe (14311 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now