GenPack.Generic.Malware.Sdld.CCCC39FB_0fab136bd8
GenPack:Generic.Malware.Sdld.CCCC39FB (BitDefender), HEUR:Packed.Win32.Upantix.gen (Kaspersky), BackDoor.IRC.Sdbot.16412 (DrWeb), GenPack:Generic.Malware.Sdld.CCCC39FB (B) (Emsisoft), SMG.Heur!gen (Symantec), Nestha.Win32 (Ikarus), GenPack:Generic.Malware.Sdld.CCCC39FB (FSecure), Crypt6.AGBE (AVG), Win32:Malware-gen (Avast), GenPack:Generic.Malware.Sdld.CCCC39FB (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 0fab136bd8a0e5241f4725a4b6fcea56
SHA1: cd3b0f5dbb76115a2cc93fab77f8997aeb6593fe
SHA256: a308ee6517d26e09e15548bd45b52c129f34936667ed929a68fcab5dea38ef25
SSDeep: 1536:VbxP49hNPlHRJ1c9bIrsA8Lurwpby12acCCsHTdoAFOwbzPHxAaTJ:bPGtG9bIAAlrw1ac/2doA8wbzPHL
Size: 140564 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Worm. A program that is primarily replicating on networks or removable drives.
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):
No processes have been created.
The GenPack injects its code into the following process(es):
%original file name%.exe:3904
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:3904 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\UT2004(cheat).exe (673 bytes)
C:\Windows\win32dc\Counter-Strike crack.exe (18685 bytes)
C:\Windows\win32dc\UT2004_crack.exe (10233 bytes)
C:\Windows\win32dc\Half-Life 2 hack.exe (673 bytes)
C:\Windows\win32dc\BattleField 1942 hack.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 hack.exe (673 bytes)
C:\Windows\win32dc\BattleField 1942(cheat).exe (18685 bytes)
C:\Windows\win32dc\FlatOut(trainer).exe (673 bytes)
C:\Windows\win32dc\BattleField 1942(trainer).exe (14989 bytes)
C:\Windows\win32dc\Counter-Strike nocd.exe (1801 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 1283adaead06c91954b96b9b4b094c20 | c:\Windows\win32dc\BattleField 1942(cheat).exe |
| 54ff6b489d1e08ab87f985de622f2b29 | c:\Windows\win32dc\BattleField 1942(trainer).exe |
| 4f951acd4d8c6458d1fcddd58ded8280 | c:\Windows\win32dc\Counter-Strike crack.exe |
| 2b811be0a38aaf7999ef45b831801eea | c:\Windows\win32dc\Counter-Strike nocd.exe |
| cb3d211969ff20bfab620e1336dbfcb3 | c:\Windows\win32dc\UT2004_crack.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 61440 | 77824 | 75776 | 5.20334 | df50ad2f733de45b3850dec77d0436a2 |
| .rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The GenPack connects to the servers at the folowing location(s):
`.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
P}#N"v_Sqld
&pWebServ#
nKey
URL!wn}x
!"#$%&'()* ,-./012345678
%cLb$c&a
.EXFy9QQl
!"#$%&'()* ,-./012345
!"#$%&'()* ,-./0123456
e.Ojef#1sVW13\
KERNEL32.DLL
advapi32.dll
mpr.dll
oleaut32.dll
shell32.dll
URLMON.DLL
user32.dll
wininet.dll
wsock32.dll
%original file name%.exe_3904_rwx_00401000_00014000:
PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
P}#N"v_Sqld
&pWebServ#
nKey
URL!wn}x
!"#$%&'()* ,-./012345678
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\UT2004(cheat).exe (673 bytes)
C:\Windows\win32dc\Counter-Strike crack.exe (18685 bytes)
C:\Windows\win32dc\UT2004_crack.exe (10233 bytes)
C:\Windows\win32dc\Half-Life 2 hack.exe (673 bytes)
C:\Windows\win32dc\BattleField 1942 hack.exe (673 bytes)
C:\Windows\win32dc\Silent Hill 4 hack.exe (673 bytes)
C:\Windows\win32dc\BattleField 1942(cheat).exe (18685 bytes)
C:\Windows\win32dc\FlatOut(trainer).exe (673 bytes)
C:\Windows\win32dc\BattleField 1942(trainer).exe (14989 bytes)
C:\Windows\win32dc\Counter-Strike nocd.exe (1801 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
