Backdoor.Mask.E_cdc03f1405

by malwarelabrobot on April 3rd, 2014 in Malware Descriptions.

Backdoor.Mask.E (BitDefender), TrojanDropper:Win32/Seedna.A (Microsoft), Trojan.Win32.Careto.au (Kaspersky), Trojan.Win32.Mask.a (v) (VIPRE), Trojan.Siggen6.9085 (DrWeb), Backdoor.Mask.E (B) (Emsisoft), BackDoor-FBRF (McAfee), Backdoor.Weevil.B (Symantec), Backdoor.Mask (Ikarus), Backdoor:W32/Mask.A (FSecure), Pakes.MLY (AVG), Win32:Malware-gen (Avast), BKDR_CARETO.A (TrendMicro), Backdoor.Mask.E (AdAware)
Behaviour: Trojan-Dropper, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cdc03f14052a73cc9d3d1d5d752d9d04
SHA1: a1bd3f225ea19b4963d7983bffc5d342d8d6148b
SHA256: 892511916b92794a92ea698ab3ae78d51a5958e9a4d175f2b05a5af0f3e1ef16
SSDeep: 6144:5PVxLB2LB5XFfTBhZg/e74vm5U6yjRx4Rj6aLmWhh30k974q5j kCCI8:jx9cB51fTBN74F6o0/EkOyj DCI8
Size: 348264 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SoftWarehouse
Created at: 2013-05-09 14:20:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

___2.tmp:232
%original file name%.exe:1948

The Backdoor injects its code into the following process(es):
No processes have been created.

File activity

The process ___2.tmp:232 makes changes in the file system.
The Backdoor deletes the following file(s):

C:\CDC03F14052A73CC9D3D1D5D752D9D04.EXE (0 bytes)

The process %original file name%.exe:1948 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\awcodc32.dll (24576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\___2.tmp (9320 bytes)
%System%\bootfont.bin (122912 bytes)
%System%\vchw9x.dll (20992 bytes)
%System%\drivers\scsimap.sys (14464 bytes)
%System%\jpeg1x32.dll (31744 bytes)
%System%\awdcxc32.dll (8192 bytes)
%System%\mfcn30.dll (17920 bytes)

Registry activity

The process %original file name%.exe:1948 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E D3 42 59 2D 13 E2 89 AF 36 98 3F 3F 22 22 7C"

[HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters]
"EnablePrefetcher" = "2"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"

[HKLM\System\CurrentControlSet\Services\scsimap\Params]
"Value" = "52 1B 30 EA 58 DF 82 88 60 94 B8 B7 F4 C1 83 1E"

Dropped PE files

MD5 File path
8102aef50b9c7456f62cdbeefa5fa9de c:\Documents and Settings\test\Local Settings\Temp\___2.tmp
f28990d580f42050e4897cb52a1fb026 c:\WINDOWS\system32\awcodc32.dll
dede43ebe5f8a4b0aabfd0679b051e9e c:\WINDOWS\system32\awdcxc32.dll
4a0af770e172abb09e3691a81f9a6572 c:\WINDOWS\system32\drivers\scsimap.sys
c2ba81c0de01038a54703de26b18e9ee c:\WINDOWS\system32\jpeg1x32.dll
5024ce13efab0e531c4e09b98def1287 c:\WINDOWS\system32\mfcn30.dll
f46da52833c1078ed8b62276acbe9f1b c:\WINDOWS\system32\vchw9x.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Backdoor controls creation and closing of processes by installing the process notifier.



Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.



Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 80233 80384 4.65699 696475cd3808bd77abb8e1e906fa92aa
.rdata 86016 25974 26112 4.61538 1fc13f5d9019589f1695011a67155307
.data 114688 15184 4608 1.56666 c75e8e0eaa5c089b2cfb661fafeeca35
.rsrc 131072 456 512 3.49467 0bab4e0138369ac87417ec3bd9758cb0
.inf 135168 230974 233472 5.53613 42e91416945440caf237ca5e4c0c33d7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ___2.tmp:232
    %original file name%.exe:1948

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %System%\awcodc32.dll (24576 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\___2.tmp (9320 bytes)
    %System%\bootfont.bin (122912 bytes)
    %System%\vchw9x.dll (20992 bytes)
    %System%\drivers\scsimap.sys (14464 bytes)
    %System%\jpeg1x32.dll (31744 bytes)
    %System%\awdcxc32.dll (8192 bytes)
    %System%\mfcn30.dll (17920 bytes)

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now