Gen.Trojan.ShellIni.MLZamAkVoli_7b693cd967
Susp_Dropper (Kaspersky), Gen:Trojan.ShellIni.MLZ@amAkVoli (B) (Emsisoft), Gen:Trojan.ShellIni.MLZ@amAkVoli (AdAware), GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Requires JavaScript enabled! |
---|
MD5: 7b693cd967ec2a2d7946cb15e19d3e5b
SHA1: f0854c4c6f55d396dbb73667fcdba23cb96da241
SHA256: 0879fa73da670e572e78059bf415c8af22209bcb2e78152b5e5410ff454c922d
SSDeep: 49152:JBP6woF2ISKkN8RCs3hfxQleswPBki9qi:fi/F27YCs3hJQUP6li
Size: 1687423 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
Behaviour | Description |
---|---|
IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1504
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\DC Share\cpan2.exe (15624 bytes)
C:\Windows\System32\DC Share\cpanp-run-perl.exe (295596 bytes)
C:\Windows\System32\DC Share\find2perl.exe (97628 bytes)
C:\Windows\System32\DC Share\lwp-download.exe (10815 bytes)
C:\Windows\System32\DC Share\dbip.exe (112407 bytes)
C:\Windows\System32\DC Share\json_pp.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-guide.exe (10815 bytes)
C:\Windows\System32\DC Share\h2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\dbi.exe (10815 bytes)
C:\Windows\System32\DC Share\instmodsh.exe (10815 bytes)
C:\Windows\System32\DC Share\libnetcfg.exe (218874 bytes)
C:\Windows\System32\DC Share\dbilogstrip.exe (10815 bytes)
C:\Windows\System32\DC Share\dbilogs.exe (288229 bytes)
C:\Windows\System32\DC Share\h2ph.exe (10815 bytes)
C:\Windows\System32\sIRC4.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\%original file name%.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\a2p.exe (67541 bytes)
C:\Windows\System32\DC Share\c.exe (26439 bytes)
C:\Windows\System32\DC Share\core.exe (30090 bytes)
C:\Windows\System32\DC Share\cpanp-run-.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-down.exe (10815 bytes)
C:\Windows\System32\DC Share\config_data.exe (30090 bytes)
C:\Windows\System32\DC Share\c2ph.exe (195772 bytes)
C:\Windows\System32\DC Share\cpan.exe (30090 bytes)
C:\Windows\System32\DC Share\exetype.exe (106067 bytes)
C:\Windows\System32\DC Share\cpanp.exe (142131 bytes)
C:\marijuana.txt (82344 bytes)
C:\Windows\System32\DC Share\en.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-g.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-co.exe (67541 bytes)
C:\Windows\System32\DC Share\html.exe (226845 bytes)
C:\Windows\System32\DC Share\cpan2dist.exe (15624 bytes)
C:\Windows\System32\xdccPrograms\autoexec.exe (210194 bytes)
C:\Windows\System32\xdccPrograms\ap-update-.exe (52239 bytes)
C:\Windows\System32\DC Share\corelist.exe (30090 bytes)
C:\Windows\System32\xdccPrograms\ap-update-html.exe (52239 bytes)
C:\Windows\System32\DC Share\dbiproxy.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-config.exe (52239 bytes)
C:\Windows\System32\DC Share\htmltree.exe (74517 bytes)
C:\Windows\System32\DC Share\lwp-.exe (210917 bytes)
C:\Windows\System32\DC Share\lwp-dump.exe (68238 bytes)
C:\Windows\System32\DC Share\dbiprof.exe (265470 bytes)
C:\Windows\System32\DC Share\crc32.exe (10815 bytes)
C:\Windows\System32\DC Share\enc2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-mi.exe (10815 bytes)
Registry activity
The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe sIRC4.exe"
Dropped PE files
MD5 | File path |
---|---|
a58cb0453ee06c274ff1ecd02c292e4a | c:\Windows\System32\DC Share\c2ph.exe |
e88264d66ff5077f46969819d6dd74dd | c:\Windows\System32\DC Share\config_data.exe |
e88264d66ff5077f46969819d6dd74dd | c:\Windows\System32\DC Share\core.exe |
e88264d66ff5077f46969819d6dd74dd | c:\Windows\System32\DC Share\corelist.exe |
e88264d66ff5077f46969819d6dd74dd | c:\Windows\System32\DC Share\cpan.exe |
ca34cbf91b053db36f5b4e92acf2d71a | c:\Windows\System32\DC Share\cpan2.exe |
ca34cbf91b053db36f5b4e92acf2d71a | c:\Windows\System32\DC Share\cpan2dist.exe |
c10290eb827d83cbf6a04c5aa5eed822 | c:\Windows\System32\DC Share\cpanp-run-perl.exe |
f8842562124ab855f4f8d5d6c5f1cb12 | c:\Windows\System32\DC Share\cpanp.exe |
792da32eecc4cc8dc7515f5db94b0c8c | c:\Windows\System32\DC Share\dbilogs.exe |
4653269b63898ef86f9efde4b5f101c5 | c:\Windows\System32\DC Share\dbip.exe |
f8ee1d84fd461ce0d64176646f237fba | c:\Windows\System32\DC Share\dbiprof.exe |
c4b491f734e2ed2581eb3bbce67e511d | c:\Windows\System32\DC Share\exetype.exe |
e5ff17ef03659aa23ce4db387320aecb | c:\Windows\System32\DC Share\find2perl.exe |
e077682840d5f467d8349c99bb1ef3a5 | c:\Windows\System32\DC Share\html.exe |
614fa4a3fd9220f7359ed7d92776da18 | c:\Windows\System32\DC Share\htmltree.exe |
575c2f6df1b5b2f763ec13d510bdd330 | c:\Windows\System32\DC Share\libnetcfg.exe |
a05bd26206bab0b18067bb98a672857f | c:\Windows\System32\DC Share\lwp-.exe |
5acdd0dac7c9a1ebfe309e8148be7971 | c:\Windows\System32\DC Share\lwp-dump.exe |
a6cd7e59152f9f15133c9c428c635018 | c:\Windows\System32\xdccPrograms\a2p.exe |
a6cd7e59152f9f15133c9c428c635018 | c:\Windows\System32\xdccPrograms\ap-iis-co.exe |
ca6e9b75a1301820c5e8446a99134423 | c:\Windows\System32\xdccPrograms\ap-iis-config.exe |
ca6e9b75a1301820c5e8446a99134423 | c:\Windows\System32\xdccPrograms\ap-update-.exe |
ca6e9b75a1301820c5e8446a99134423 | c:\Windows\System32\xdccPrograms\ap-update-html.exe |
f7fb221f346cd6addf345cc992c423da | c:\Windows\System32\xdccPrograms\autoexec.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 51588 | 51712 | 4.55828 | 7af1f29e4088afc4e1ff8bea59ac012a |
DATA | 57344 | 2588 | 3072 | 3.14251 | 5bd558c4cfa6af8832a10b063dfaf1ed |
BSS | 61440 | 4369 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 69632 | 2110 | 2560 | 2.89006 | 96b1d121243ee63bbbbb3c2ce0e5d05f |
.tls | 73728 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 77824 | 24 | 512 | 0.146134 | c8f3ad504b4e880ce32a390a76c71bfb |
.lol0 | 81920 | 3825 | 4096 | 5.21859 | ca722520a0fc54a4b1a0578376720f23 |
.reloc | 86016 | 1828 | 2048 | 4.37145 | 02853329c41fc9eb1a31c9a92d9d58c5 |
.rsrc | 90112 | 3260 | 3584 | 1.81557 | 41ef3d16bf1f30319757dd252d4eb103 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 4
32aa2307d8ff4594f84272249b6c7037
520a42e090e2de4ca7a4ffae93707d49
7d2c07a1b893cad18460704932ff93d7
81275e2de1e8034cac9bf2b87cd620ba
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
.idata
.rdata
P.lol0
`.reloc
P.rsrc
system.ini
Explorer.exe
software\microsoft\windows\currentversion\app paths\winzip32.exe
software\microsoft\windows\currentversion\app paths\WinRAR.exe
C:\rar.bat
C:\zip.bat
8.teChTd@
PRIVMSG
PRIVMSG #hellothere :
PRIVMSG
JOIN
JOIN #HelloThere
NICK
NICK [xdcc]
NICK [mp3]
NICK [rar]
NICK [zip]
NICK [share]
31ff%3vcc%2c23J33c22322332crc3cr233J2fJffJv%1[J33JccJccfcc2fc2JfJ223rrcrrJ2cc3f2r3r233Jcf2rf3ffJfrJrr3f2]fr[2rvJ23%1JJJc1fc22%J[rr]ff2rr2ÿ32f2J23r323223J2rc333cc2fJJ3JJ2ccrfrJr2r3JJrcfc322f3cr3rcJ33f33rcrrrcf3cfrffJ2cff2r22fJJf3rr33rJ2f3cJJc33r3crrcf33cJJrffr2fJ2f22fc3ffrrJ32cJf
=^,..uS?^. . . . .. . . . . . . . . ... . . . . . . . . . =
cJ^ .."J4nTn5TaL<.;"clJws2:. ..."=i?2ai<,.. . . ..^~%yehY3CAh5Ti~|~. . . ^11J3399T16c;..^)JL5o.^]ff2t??]3 =. .^?t{$]t=~|]t. .isfanz
CC%". . .rsyz4LVYT9C~. ..^j5*hPDPe0TmaT1~;. .
pd. .;*PpdUk}v t^ . ..bZAgFPDUonPb.. . .!GZQPPms
% tij6DQ9=. .%UszufL4s4mj..)5m58T
fJ^ .tXeT0kVqDF]xDqhs04GmZ
TyL*Zhe4....6!obQFUDD8i. .. :xasaePQUkSPx. . ~Fprn^ ..SFPPDbGz&$". .iyuJeFk5O4Ta$5w|i1oC8*4eG*O:. . .jcTh- ..,J=3gDOddh.. =
32^ .tWx50GGs$Ca"^=*h4xhyXWAx
zJkhqDSkG.. .Sc?c5qDPFX1:. . :hOzfOxL8dWKg. ..=khb7. .. .9PDPQ
J4GY%,. .%ghTkxOru]7wxu^.;|JnT*T&8Oh{.. .Ja$"... . . ) %mF8Feh~,. =
cc^ . #h%l[6okkL..!x0*Zq5Zqde. "VsJ*XXpJ$" . !n37.... . ; cj1 iyACi^.. ~CCuw9LOY4Vo[i, . .?d532taFULy8 .. ."jJ$5gqpDmIs ...Dp5rrsDDFX
. .wVXQ6VKWKK#d .)qPU
CJ2nSd&uT ..!ltfdZZFk]|s....WFV3nvlwdF$. .4OPdVdQQFpxT.. ~be!. .. . .[e55T5eFVFb!. .tQpQqPGzrT&G, ..<nfnn8$ i%w^. !^... . . o
Tf . . .... . .. .lxUhLQDdLQq7. .=$khAQS8T*4j ...:=a!i 35*8oT=. . .. . .|o]IyZFA[Ve" =
Jr^ .iDSFgpqZxh= .!QdQSTXk$&T "e%veDFPzz1 .. .... .. :~VqCtju8z2Y) ..)8k8522%$5mc; .(aO7 IsxQFV=. ."$dddDeY$
vQ. .eFQD5%kPh3>. .YZeqQPZU06uz. . . . .. . .)65OgDFAqUPu. .tTw
8LI]t.."Kh6IdPUna] . . .."${C}:...|y4$a[=sTV*| . =3ti~!1GepG . .. .ib$fC3
C5W.. nUFXSfvttCi: .. :ygPQGSDSh*gb . ..ia4h]^..|i$mVd*CAUDu.. .lhYeZVTs5&
n=.. . ...?s*n|...iPbq*Y8pA*n;. =
c%^ ..=OLCa&YIn8= ."J4L86yG4k "DWQxDQSsIs . ..!}=oZicz{3{"rOdbA*DnyCC~ ?8kL8Oonzc2t. .=*o|"^~lZPgK . .!qDQarvuCJ2L . .ITPW#uooont... .%qPbLJSpmUPh. ...!YZYG&aDOsg2swY9ZTrD5Lu. .iDx&bFdDPPz~ . .!3Cft"!t$8J!. .. "sT*GFDXKWWS]QqQxq0hPXq^. =
nPe9e&o?iT]ao. .jQZY6TGbZgnl . ..\IVhm7=z9
YKXG.. }p*0Tm*qg.. "pSaey/^_r0Uw. .. UQh7)[y&dZ{ . .?na*kG{Cz%C!.. ;o9v%jJur=,.^)ObOuY*aOSFU^ =
f]^ ..=4OpT/gPi "VdUdUDDbUw .^5ZFDY#WzV* .*WK#qnQp". ~pbZx9T61
1oa&ApFe4gK . \hxpSFPFSWQq ..sncsA
r3^ . . .tQnQbywY4Y~ .!o&&AAAdFPs "U$%8#&Y9xb. .uPPLurVXF .. ."d*YIf5*[[G&=. !raazIas&4*7.. . . .?U
6zt.. .)dUT%LPWJv4Q . ..^J$cuttt[fkm. 22*kwaYT647.. ./3pPhwm9o5k$..i#hbbqw$IC(. .7Z&9|w?iPbg$ . > 5hSg6urIZv ;c8mw2[2JV[/.."&Z*zfwma9a= . ,iUdPFdDs(o" =
f2^ .=!/;:|SD{w$L*fI-..!ezLJ!nY49=.;"FFSO4mbdY0..XXUTT4O0PPn, "bctx*m*Ta48t. =O84$oosoG4 . . . .!}~;^!hPbaqD . ..!aTf$%L&[kmk. . ${
fJ^ ^tTnt?2mOszzqSc:^^!hmk6]i99Oo.;_Xb*50Lxd01;"TebbeV0smD]:...^u(rU0O9GLYm)...)8kV*z$cwG*%.,,.:.,:,.jKZJ~")gQFFa...,.(SQPDhV6rJ$Y....cICY&TC6C9j;,,,.^(3rzm]2Ircx8:~0Yq08m8G4hL:.:.tCCw6r(t4eZ ....[AQ&7inmwcU}.... ~m2fc9VUdg3~. =OYme8L9Tnf". ..(&0kT*Qbg), ....... =
fr" v5Zm9r*a5IqZ&^C"<eV0 CkZaTl.;<Lry04as9t13?wQDDSForn0n:^.^^uI8e0JtxGLm)...)L0Lk*T[f**],;^;^;;^^.7XDAholoDPK5..^^:>0PQPQWqrfcY:,^.rw$50O4O5n ^^^^^;t6u3sIo91c89;!zSe48*8GGAn^;^^!=$TVOTt7sa! ^^^vFq2=!sh0 01..:. ^^!12cY&40f!..=qqAew949&o!....{pV84TQDZn!...,..^^^.. . =
nu1f9"""^|5I6Ls*Skz[";^^^{6!.iY5y6iCt.;^..^!t6&L&VPkC_..)pUxT kDOGk=...:taGZs1VDSQ
^:^.;^^;;^^ . =
mCC4f9II50*f~"!t6$rii*m0w<";_CYoTmT =o%!J^"""%VSgAP0xZuo7^;"";)enÀDbu{h%^"\o7tIqDpzsTt^""^lQ4Tk8cfVdU!^"";. . ;"",. =
kC i1%CuG*Y09a=!!iSQZFbXSkz<"^!tG%jQPDDQhw9t"""jXdr1]1
iTsu%T0YO%spJuS8a~=iJOGV4Y84yf!]ZF)Tmt5APPq0mbS}~!!!()=|| lo828Dn|l
jj[]L(%Ue3dFPGt^,!t{aGxpxge8w "^)
u7^t$I%i0$!^tc%!tLAn%%}De}{2xgFU~1*ADeQg} 6pz=$5sUUD6I2c7%3sAK*
o9xPx[%uzQPh2jDFbm1GSASni=tfceerjw5DgD5oyfruu$6r|!Iz&6j=|$TV8af(tcJ$lt$osCcuT3gqZG 7 "}hPe1rfljII1S5%j%2xQQmjtoknYY8&4ekO
JJ> . .:&oLV*&":;]dG*CqmVh,..,!nGz3.!"a9ou)Y#PFFkcv%FZzyKWt.!L#DgFFgG%&pDPQWPTav=7IufeSq8kG2f2oGL
T$CIjCUb3f5DQUm1[57/%3xP4VDQh4qPPA^ ..
ckG*gC.."w0Om7bGk8^..,taw5!."^u9as~ xPpPFntcPZO0PD\..!LdDFQDAsrGDqF#4uy ^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzzn
GTy]|s9uTdSQFxyvt!kbFVJbPQaPC7sLY
^|rGXQSDQPQAAZQFFUY5IYqWWDpApFbbbUUPPFI v&O0DF3.. ."sD1 *kk!!u&Z8$zm4oI Jys$uzaoCIv!(=tba4bZdApqpqbUDSQDPwpUD0k*DUDPDDhFFADdPFqpn6*U8cVbpDi;"! wL8sz89i6z$u2
J4qAdDh3v"2ADgngQF1WO %ueQdV2WPDeDge{9xdQqgO0XZYzI*SPZD55D&GmPFFpUQPb5_^.. . . =
c3- ."~~-;. .)0m4YT~.>$&G),;"...;<1$G*dQQQpgASGYVeeAbKFgpFPqgeSx4T3tVTYheTkx3....temi*hef;^7kmhn)Y8Gaf3Iww$JJ6uc$CfcCe*xZd*eUDDPDdPx8z %nLhhe4hPphSA*O4aOmO5u6hhZg06hPAh$nVLxo4k4wwwcwr
~t)>"%dZZZFDhDd{[=: ^j!,(UZ0 ..<688d~! ra8Gowu]=|ITnYz$]2
o9$v=iifa9jw6T{..^owoT%tlkpQZd5uxDFqQ8!"yDDQF40PXx0dDZq51mDPZi;.,^ion5pFpJ5DA%sUFb3/;"9SSDUdZWK >. . =
J3- . . .VVom]^. .^7a<: . . <[3^ .;^-ir80&Vk5T!.."";,.sDSDpUFPhQb(! ! ^".. UG4~ ^C8*8 "t58*8o6fu3cJv=!?ticTghSV0GJti;;^
yak="xPDF4?}gFFFPTi"^. ,"$DYpG5k&kAd&6a*&e*6$uII 7 I$?%soy!. ;$56yf^.|GApbF4yqPbDs/!pDXFg=2xQbVUQLkYahdgd)=?tlv3ossan!OQPu|pDDD{^.^!iaZPeXgxy/ . =
sa]!;)ayCIu*mCtry3UKP9kD6!ipQbn|vbAZDgdsxQK6!QDD(. :"=9dQUS!. 7#dd*ADQPWe7^.^;,t^^o8mc(.^!= ]2tCCIz4QPbgQQFdphV8ObQQFFDpAGr="iap4xVori!^;,....:,. ."^.hSF[. .y#KA
. .. . =
2%! .=V]^. : .^lmUgpgG5=,^GbAS"JgW^:iYeASgV;.;jAZs"..^~( .;~_, .. . .z3Iy^:..ukT7 2Y&o^^i8KK8$qp4\"eFPh~^"~9GZg5PDXs!mqP
"t7(FPQpxn[!;. . ...ZD#i >fSD[^.. ... =
PDS^."LFQK . ;:^_gKC7&taFF=. ..^!",?S9qb(.."C&PPA6\.:..:i;!x8=... . "$C; .vOZDxzPP1=4Qx~:... . ^;:(FDAL5UQdk?;.. . .nXP" . ;wh7^. . . =
fJ! ^=. ...^jqx&a(!;. .vgFSi^.^wd!kdgw\.. .thg!. . ..:;. .. )08z ^&*T^ .!T6o!5h!!23FPU!.. QdX9;. :..;e&!_~= hX . ...;,^^~u?2Xy;..^!tyDxI; . .!.^3dI". . .:=2:. ."qU#pi3QAC^^=mz^ . .^.,\DFg47LpDPO ".. .
JJ! ."_. . ,;=v{t~"... ^Vbh0". :tauqgn!. .. ,tQ&^... .. . . ."n*{ ..^G9J; :;wyuc6 ,.!lDUAt^.!eFK8>. ...;h|...:"yX]^. .^ ..~ ;?gQ=.. .."J*q=. .."..<JOt. . ." . .;6dQUt!4p)t"...)!. ..;, .>gp#Z=t*DQFh1; . . .re%, ;0L!. . =
&PQD).. .jz". . ..!i|, =
3r! .. . . . .. ..IZP|.. .:"!". . .^9e; .. .. . .^{~ .=Ti^. ~a2z^ . ."SPh %".^iXAg{. ^;. ,nx<. . . ... .=#Z!. . .. . . ^!^ . . . .=F8=: .8t:. ;^.. .;^:. "^igDl .!nDAI^.. . =_. . . . ;!; .. =
cc! . .. .. .^kI-... ...". . .." ^.. . . . . . . ^^ ..(!:. .,{aw! . ^SKI,:"; .uPPG^. . . .. .!G>. . . .. . :$x).. . .. . .. :. . . . ..!~^. .". ."". ... . ^.^1b
", . ". . .. .:.. =
crt??()iii it ttt iiititi itt |?()(|?|)(?(?()??(|)((?|)||)))(|?()?)()()?)?()|))|?)?|)|)|||||)(?|?=?====()?======)l====|})============ ==================================================================================================||=)=========================================i
sIRC4.exe
C:\marijuana.txt
uk.undernet.org
CMDR
JOIN
iu2.iu
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
WinExec
wsock32.dll
3L4O4W4
8-8M8e8o8v8}8
KWindows
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1504
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\DC Share\cpan2.exe (15624 bytes)
C:\Windows\System32\DC Share\cpanp-run-perl.exe (295596 bytes)
C:\Windows\System32\DC Share\find2perl.exe (97628 bytes)
C:\Windows\System32\DC Share\lwp-download.exe (10815 bytes)
C:\Windows\System32\DC Share\dbip.exe (112407 bytes)
C:\Windows\System32\DC Share\json_pp.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-guide.exe (10815 bytes)
C:\Windows\System32\DC Share\h2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\dbi.exe (10815 bytes)
C:\Windows\System32\DC Share\instmodsh.exe (10815 bytes)
C:\Windows\System32\DC Share\libnetcfg.exe (218874 bytes)
C:\Windows\System32\DC Share\dbilogstrip.exe (10815 bytes)
C:\Windows\System32\DC Share\dbilogs.exe (288229 bytes)
C:\Windows\System32\DC Share\h2ph.exe (10815 bytes)
C:\Windows\System32\sIRC4.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\%original file name%.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\a2p.exe (67541 bytes)
C:\Windows\System32\DC Share\c.exe (26439 bytes)
C:\Windows\System32\DC Share\core.exe (30090 bytes)
C:\Windows\System32\DC Share\cpanp-run-.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-down.exe (10815 bytes)
C:\Windows\System32\DC Share\config_data.exe (30090 bytes)
C:\Windows\System32\DC Share\c2ph.exe (195772 bytes)
C:\Windows\System32\DC Share\cpan.exe (30090 bytes)
C:\Windows\System32\DC Share\exetype.exe (106067 bytes)
C:\Windows\System32\DC Share\cpanp.exe (142131 bytes)
C:\marijuana.txt (82344 bytes)
C:\Windows\System32\DC Share\en.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-g.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-co.exe (67541 bytes)
C:\Windows\System32\DC Share\html.exe (226845 bytes)
C:\Windows\System32\DC Share\cpan2dist.exe (15624 bytes)
C:\Windows\System32\xdccPrograms\autoexec.exe (210194 bytes)
C:\Windows\System32\xdccPrograms\ap-update-.exe (52239 bytes)
C:\Windows\System32\DC Share\corelist.exe (30090 bytes)
C:\Windows\System32\xdccPrograms\ap-update-html.exe (52239 bytes)
C:\Windows\System32\DC Share\dbiproxy.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-config.exe (52239 bytes)
C:\Windows\System32\DC Share\htmltree.exe (74517 bytes)
C:\Windows\System32\DC Share\lwp-.exe (210917 bytes)
C:\Windows\System32\DC Share\lwp-dump.exe (68238 bytes)
C:\Windows\System32\DC Share\dbiprof.exe (265470 bytes)
C:\Windows\System32\DC Share\crc32.exe (10815 bytes)
C:\Windows\System32\DC Share\enc2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-mi.exe (10815 bytes) - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe sIRC4.exe"
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.