MD5: f4419bf6a47ea366f0ec71412b96e3a9
SHA1: ccccbeacf07560451ffd0ca34d632f41ea11b744
SHA256: 9bff99487a1e59683c1254cd15408d49a1b0fe08c983f51805fee8e1448046a1
SSDeep: 3072:rCHHHHCsEScXXXXapppppppppp6PPPPPX44444444/cccccccccB5tzllllzMAAB:GHHHH6XXXXzPPPPP 5tzllllzMnJIU/D
Size: 135052 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The GenPack creates the following process(es):
No processes have been created.
The GenPack injects its code into the following process(es):

%original file name%.exe:268

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:268 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):

C:\Windows\win32dc\BattleField 1942 crack.exe (673 bytes)
C:\Windows\win32dc\Counter-Strike(cheat).exe (10879 bytes)
C:\Windows\win32dc\Quake3_serial.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
C:\Windows\win32dc\Quake3_codes.exe (17935 bytes)
C:\Windows\win32dc\Silent Hill 4_hack.exe (6639 bytes)
C:\Windows\win32dc\Doom 3 patch.exe (14311 bytes)
C:\Windows\win32dc\Sims 2(cheat).exe (14311 bytes)
C:\Windows\win32dc\Half-Life 2 nocd.exe (673 bytes)
C:\Windows\win32dc\FlatOut crack.exe (6639 bytes)

Registry activity

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 92
160d678a252aefd448f7bd865300d247
3fa15d68ddc812b05674674d25230669
ac52f0d2d4e80319ca96ee9edad1904b
a27dc1ec88ee99ea69da31a6b3db6d11
e84e9a54eb52f8ea74f73388827ee43f
cebcc604c5708853e6d22085c6daec41
ce0718bffbecccb038720866330bb4c1
8e23290f91f5c9b2cd3774e9079e3cc2
5ccab02f261101bc9a4a839f2a43a04e
5ff92265c5224c46d90f70c2b8e3dc2a
229ce8cf36aa7ee1b800b2b4a9025a5b
17c9476d094315b62e9c40b5c709e9b5
f581ca27f039a9dcfc29d748b14866f1
eb0105edfc43d14854a6735f4591551c
e5b37efa77f703c8fc717e2d61036389
d8a63c42ec102be1704df4975ff8f5e5
c4c4b0b0140859ba73f32ef5699aa0e7
bfdac7dacaff8bbb0ab009761263e221
bc39e61844b6dba77ff3eb5541f796cf
a6a46c26aa35964d51e6cb581ddd3a95
3d25e795ac2719ff2ba8dc619aa65e9a
394fa4a723bcbf31cd31d74627101273
2f38ffe69db29e238ebfd35546dfb4a5
18a84aa0122104139586c342f8851ee6
140f71547653298a117b3e7c1681cf2d
0f48dc6fe44b99532d6489a97d079792

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The GenPack connects to the servers at the folowing location(s):

`.rsrc

1%u5?3fAG\[Rm

PRIVMSG

JOIN

login

PRIVMSG

:Fisier Executat

(Director Windows:

(netbios_invalidpass:

File(%cur%\

File(%sys%\

rndnick

NICK

join

%sys%\

%cur%\

%rnddir%\%rand%.exe

system.ini

explorer.exe

.com "win2k" :

DCPlusPlus.xml

dcplusplus.xml

%sys%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

%rnddir%\%rand%.com

us.undernet.org

KWindows

&pWebServer

GetWindowsDirectoryA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

URLDownloadToFileA

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

\|3

&pWebServ

FO^nKey

qyNF.oqu

.Vmlo

9%dl{

KERNEL32.DLL

advapi32.dll

mpr.dll

oleaut32.dll

shell32.dll

URLMON.DLL

user32.dll

wininet.dll

wsock32.dll

%original file name%.exe_268_rwx_00401000_00014000:

PRIVMSG

JOIN

login

PRIVMSG

:Fisier Executat

(Director Windows:

(netbios_invalidpass:

File(%cur%\

File(%sys%\

rndnick

NICK

join

%sys%\

%cur%\

%rnddir%\%rand%.exe

system.ini

explorer.exe

.com "win2k" :

DCPlusPlus.xml

dcplusplus.xml

%sys%

%cur%

\WINDOWS\Start Menu\Programs\Startup\

netapi32.dll

%rnddir%\%rand%.com

us.undernet.org

KWindows

&pWebServer

GetWindowsDirectoryA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

URLDownloadToFileA

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

\|3

&pWebServ

FO^nKey

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original GenPack file.
   
3. Delete or disinfect the following files created/modified by the GenPack:
   

   C:\Windows\win32dc\BattleField 1942 crack.exe (673 bytes)
   C:\Windows\win32dc\Counter-Strike(cheat).exe (10879 bytes)
   C:\Windows\win32dc\Quake3_serial.exe (673 bytes)
   C:\Windows\win32dc\Silent Hill 4(fix).exe (673 bytes)
   C:\Windows\win32dc\Quake3_codes.exe (17935 bytes)
   C:\Windows\win32dc\Silent Hill 4_hack.exe (6639 bytes)
   C:\Windows\win32dc\Doom 3 patch.exe (14311 bytes)
   C:\Windows\win32dc\Sims 2(cheat).exe (14311 bytes)
   C:\Windows\win32dc\Half-Life 2 nocd.exe (673 bytes)
   C:\Windows\win32dc\FlatOut crack.exe (6639 bytes)

4. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.