GenPack.Generic.Malware.Sdld.C3447922_8a02dec3ab
GenPack:Generic.Malware.Sdld.C3447922 (BitDefender), SoftwareBundler:Win32/Techsnab (Microsoft), HEUR:Packed.Win32.Upantix.gen (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.IRC.Sdbot.16412 (DrWeb), GenPack:Generic.Malware.Sdld.C3447922 (B) (Emsisoft), Packed-KS!8A02DEC3AB89 (McAfee), SMG.Heur!gen (Symantec), Nestha.Win32 (Ikarus), GenPack:Generic.Malware.Sdld.C3447922 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R002C0OKO17 (TrendMicro), GenPack:Generic.Malware.Sdld.C3447922 (AdAware), IRC-Worm.Win32.MyDoom.FD, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, IRC-Worm, Packed, IRCBot, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 8a02dec3ab89e8c0de762394fb63db8d
SHA1: 122066a0d6775cdb53df7a174654a02b479a6aab
SHA256: f6db29de2c2653f456d259a05fa34494c7b6c47319cd63295f6a6172fbdd2ff7
SSDeep: 1536:PpWnqjMHUpmwISu/mcErsA8Lurwpby12acCCsHTdoAFOwbz/g6THx1M:UomSuXEAAlrw1ac/2doA8wbz5TR1M
Size: 141417 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The GenPack creates the following process(es):
No processes have been created.
The GenPack injects its code into the following process(es):
%original file name%.exe:1504
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:1504 makes changes in the file system.
The GenPack creates and/or writes to the following file(s):
C:\Windows\win32dc\Half-Life 2_cdfix.exe (17772 bytes)
C:\Windows\win32dc\Silent Hill 4 cheat.exe (17772 bytes)
C:\Windows\win32dc\Doom 3(crack).exe (673 bytes)
C:\Windows\win32dc\Doom 3_cdfix.exe (1507 bytes)
C:\Windows\win32dc\Counter-Strike(nocd).exe (1507 bytes)
C:\Windows\win32dc\Half-Life 2_patch.exe (5451 bytes)
C:\Windows\win32dc\Doom 3(cheat).exe (673 bytes)
C:\Windows\win32dc\Sims 2 hack.exe (17772 bytes)
C:\Windows\win32dc\Quake3 codes.exe (9924 bytes)
C:\Windows\win32dc\FlatOut(nocd).exe (673 bytes)
Registry activity
Dropped PE files
| MD5 | File path |
|---|---|
| 02edbd89ccf11e98a97ff10358802077 | c:\Windows\win32dc\Counter-Strike(nocd).exe |
| ef156064601dae88389bd128a615e5b6 | c:\Windows\win32dc\Doom 3_cdfix.exe |
| 6569933ac283c934e28bf0257902c4c4 | c:\Windows\win32dc\Half-Life 2_cdfix.exe |
| c8a5cea3556fb34f1c26aa82773dae37 | c:\Windows\win32dc\Half-Life 2_patch.exe |
| 33599eaab9891af4998497833ca4cdfd | c:\Windows\win32dc\Quake3 codes.exe |
| ee180aad38213bcd71154ddd252a81f9 | c:\Windows\win32dc\Silent Hill 4 cheat.exe |
| d5c0d948d7776204ee977676b440bc4f | c:\Windows\win32dc\Sims 2 hack.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 57344 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 61440 | 77824 | 75776 | 5.32717 | 379e8d9260f83ecabb2fe1db8222927e |
| .rsrc | 139264 | 4096 | 2048 | 2.63797 | b5916a1f63e299e8c8a487a2ccfe581b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| us.undernet.org |  154.35.175.201 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
ET CHAT IRC PONG response
Traffic
The GenPack connects to the servers at the folowing location(s):
`.rsrc
PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
7421031
&pWebServ
^nKey
URL!wn}
KERNEL32.DLL
advapi32.dll
mpr.dll
oleaut32.dll
shell32.dll
URLMON.DLL
user32.dll
wininet.dll
wsock32.dll
%original file name%.exe_1504_rwx_00401000_00014000:
PRIVMSG
JOIN
login
PRIVMSG
:Fisier Executat
(Director Windows:
(netbios_invalidpass:
File(%cur%\
File(%sys%\
rndnick
NICK
join
%sys%\
%cur%\
%rnddir%\%rand%.exe
system.ini
explorer.exe
.com "win2k" :
DCPlusPlus.xml
dcplusplus.xml
%sys%
%cur%
\WINDOWS\Start Menu\Programs\Startup\
netapi32.dll
%rnddir%\%rand%.com
us.undernet.org
KWindows
&pWebServer
GetWindowsDirectoryA
RegOpenKeyExA
RegCloseKey
ShellExecuteA
URLDownloadToFileA
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
7421031
&pWebServ
^nKey
URL!wn}
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original GenPack file.
- Delete or disinfect the following files created/modified by the GenPack:
C:\Windows\win32dc\Half-Life 2_cdfix.exe (17772 bytes)
C:\Windows\win32dc\Silent Hill 4 cheat.exe (17772 bytes)
C:\Windows\win32dc\Doom 3(crack).exe (673 bytes)
C:\Windows\win32dc\Doom 3_cdfix.exe (1507 bytes)
C:\Windows\win32dc\Counter-Strike(nocd).exe (1507 bytes)
C:\Windows\win32dc\Half-Life 2_patch.exe (5451 bytes)
C:\Windows\win32dc\Doom 3(cheat).exe (673 bytes)
C:\Windows\win32dc\Sims 2 hack.exe (17772 bytes)
C:\Windows\win32dc\Quake3 codes.exe (9924 bytes)
C:\Windows\win32dc\FlatOut(nocd).exe (673 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
