Gen.Trojan.ShellIni.MLZamAkVoli_7b693cd967

by malwarelabrobot on November 13th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Trojan.ShellIni.MLZ@amAkVoli (B) (Emsisoft), Gen:Trojan.ShellIni.MLZ@amAkVoli (AdAware), GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, IRCBot

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 7b693cd967ec2a2d7946cb15e19d3e5b
SHA1: f0854c4c6f55d396dbb73667fcdba23cb96da241
SHA256: 0879fa73da670e572e78059bf415c8af22209bcb2e78152b5e5410ff454c922d
SSDeep: 49152:JBP6woF2ISKkN8RCs3hfxQleswPBki9qi:fi/F27YCs3hJQUP6li
Size: 1687423 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
IRCBot	A bot can communicate with command and control servers via IRC channel.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1504

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\DC Share\cpan2.exe (15624 bytes)
C:\Windows\System32\DC Share\cpanp-run-perl.exe (295596 bytes)
C:\Windows\System32\DC Share\find2perl.exe (97628 bytes)
C:\Windows\System32\DC Share\lwp-download.exe (10815 bytes)
C:\Windows\System32\DC Share\dbip.exe (112407 bytes)
C:\Windows\System32\DC Share\json_pp.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-guide.exe (10815 bytes)
C:\Windows\System32\DC Share\h2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\dbi.exe (10815 bytes)
C:\Windows\System32\DC Share\instmodsh.exe (10815 bytes)
C:\Windows\System32\DC Share\libnetcfg.exe (218874 bytes)
C:\Windows\System32\DC Share\dbilogstrip.exe (10815 bytes)
C:\Windows\System32\DC Share\dbilogs.exe (288229 bytes)
C:\Windows\System32\DC Share\h2ph.exe (10815 bytes)
C:\Windows\System32\sIRC4.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\%original file name%.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\a2p.exe (67541 bytes)
C:\Windows\System32\DC Share\c.exe (26439 bytes)
C:\Windows\System32\DC Share\core.exe (30090 bytes)
C:\Windows\System32\DC Share\cpanp-run-.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-down.exe (10815 bytes)
C:\Windows\System32\DC Share\config_data.exe (30090 bytes)
C:\Windows\System32\DC Share\c2ph.exe (195772 bytes)
C:\Windows\System32\DC Share\cpan.exe (30090 bytes)
C:\Windows\System32\DC Share\exetype.exe (106067 bytes)
C:\Windows\System32\DC Share\cpanp.exe (142131 bytes)
C:\marijuana.txt (82344 bytes)
C:\Windows\System32\DC Share\en.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-g.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-co.exe (67541 bytes)
C:\Windows\System32\DC Share\html.exe (226845 bytes)
C:\Windows\System32\DC Share\cpan2dist.exe (15624 bytes)
C:\Windows\System32\xdccPrograms\autoexec.exe (210194 bytes)
C:\Windows\System32\xdccPrograms\ap-update-.exe (52239 bytes)
C:\Windows\System32\DC Share\corelist.exe (30090 bytes)
C:\Windows\System32\xdccPrograms\ap-update-html.exe (52239 bytes)
C:\Windows\System32\DC Share\dbiproxy.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-config.exe (52239 bytes)
C:\Windows\System32\DC Share\htmltree.exe (74517 bytes)
C:\Windows\System32\DC Share\lwp-.exe (210917 bytes)
C:\Windows\System32\DC Share\lwp-dump.exe (68238 bytes)
C:\Windows\System32\DC Share\dbiprof.exe (265470 bytes)
C:\Windows\System32\DC Share\crc32.exe (10815 bytes)
C:\Windows\System32\DC Share\enc2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-mi.exe (10815 bytes)

Registry activity

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe sIRC4.exe"

Dropped PE files

MD5	File path
a58cb0453ee06c274ff1ecd02c292e4a	c:\Windows\System32\DC Share\c2ph.exe
e88264d66ff5077f46969819d6dd74dd	c:\Windows\System32\DC Share\config_data.exe
e88264d66ff5077f46969819d6dd74dd	c:\Windows\System32\DC Share\core.exe
e88264d66ff5077f46969819d6dd74dd	c:\Windows\System32\DC Share\corelist.exe
e88264d66ff5077f46969819d6dd74dd	c:\Windows\System32\DC Share\cpan.exe
ca34cbf91b053db36f5b4e92acf2d71a	c:\Windows\System32\DC Share\cpan2.exe
ca34cbf91b053db36f5b4e92acf2d71a	c:\Windows\System32\DC Share\cpan2dist.exe
c10290eb827d83cbf6a04c5aa5eed822	c:\Windows\System32\DC Share\cpanp-run-perl.exe
f8842562124ab855f4f8d5d6c5f1cb12	c:\Windows\System32\DC Share\cpanp.exe
792da32eecc4cc8dc7515f5db94b0c8c	c:\Windows\System32\DC Share\dbilogs.exe
4653269b63898ef86f9efde4b5f101c5	c:\Windows\System32\DC Share\dbip.exe
f8ee1d84fd461ce0d64176646f237fba	c:\Windows\System32\DC Share\dbiprof.exe
c4b491f734e2ed2581eb3bbce67e511d	c:\Windows\System32\DC Share\exetype.exe
e5ff17ef03659aa23ce4db387320aecb	c:\Windows\System32\DC Share\find2perl.exe
e077682840d5f467d8349c99bb1ef3a5	c:\Windows\System32\DC Share\html.exe
614fa4a3fd9220f7359ed7d92776da18	c:\Windows\System32\DC Share\htmltree.exe
575c2f6df1b5b2f763ec13d510bdd330	c:\Windows\System32\DC Share\libnetcfg.exe
a05bd26206bab0b18067bb98a672857f	c:\Windows\System32\DC Share\lwp-.exe
5acdd0dac7c9a1ebfe309e8148be7971	c:\Windows\System32\DC Share\lwp-dump.exe
a6cd7e59152f9f15133c9c428c635018	c:\Windows\System32\xdccPrograms\a2p.exe
a6cd7e59152f9f15133c9c428c635018	c:\Windows\System32\xdccPrograms\ap-iis-co.exe
ca6e9b75a1301820c5e8446a99134423	c:\Windows\System32\xdccPrograms\ap-iis-config.exe
ca6e9b75a1301820c5e8446a99134423	c:\Windows\System32\xdccPrograms\ap-update-.exe
ca6e9b75a1301820c5e8446a99134423	c:\Windows\System32\xdccPrograms\ap-update-html.exe
f7fb221f346cd6addf345cc992c423da	c:\Windows\System32\xdccPrograms\autoexec.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	51588	51712	4.55828	7af1f29e4088afc4e1ff8bea59ac012a
DATA	57344	2588	3072	3.14251	5bd558c4cfa6af8832a10b063dfaf1ed
BSS	61440	4369	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	69632	2110	2560	2.89006	96b1d121243ee63bbbbb3c2ce0e5d05f
.tls	73728	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	77824	24	512	0.146134	c8f3ad504b4e880ce32a390a76c71bfb
.lol0	81920	3825	4096	5.21859	ca722520a0fc54a4b1a0578376720f23
.reloc	86016	1828	2048	4.37145	02853329c41fc9eb1a31c9a92d9d58c5
.rsrc	90112	3260	3584	1.81557	41ef3d16bf1f30319757dd252d4eb103

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
32aa2307d8ff4594f84272249b6c7037
520a42e090e2de4ca7a4ffae93707d49
7d2c07a1b893cad18460704932ff93d7
81275e2de1e8034cac9bf2b87cd620ba

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1504:

.idata

.rdata

P.lol0

`.reloc

P.rsrc

system.ini

Explorer.exe

software\microsoft\windows\currentversion\app paths\winzip32.exe

software\microsoft\windows\currentversion\app paths\WinRAR.exe

C:\rar.bat

C:\zip.bat

8.teChTd@

PRIVMSG

PRIVMSG #hellothere :

PRIVMSG

JOIN

JOIN #HelloThere

NICK

NICK [xdcc]

NICK [mp3]

NICK [rar]

NICK [zip]

NICK [share]

31ff%3vcc%2c23J33c22322332crc3cr233J2fJffJv%1[J33JccJccfcc2fc2JfJ223rrcrrJ2cc3f2r3r233Jcf2rf3ffJfrJrr3f2]fr[2rvJ23%1JJJc1fc22%J[rr]ff2rr2ÿ32f2J23r323223J2rc333cc2fJJ3JJ2ccrfrJr2r3JJrcfc322f3cr3rcJ33f33rcrrrcf3cfrffJ2cff2r22fJJf3rr33rJ2f3cJJc33r3crrcf33cJJrffr2fJ2f22fc3ffrrJ32cJf

=^,..uS?^. . . . .. . . . . . . . . ... . . . . . . . . . =

cJ^ .."J4nTn5TaL<.;"clJws2:. ..."=i?2ai<,.. . . ..^~%yehY3CAh5Ti~|~. . . ^11J3399T16c;..^)JL5o.^]ff2t??]3 =. .^?t{$]t=~|]t. .isfanz

CC%". . .rsyz4LVYT9C~. ..^j5*hPDPe0TmaT1~;. .

pd. .;*PpdUk}v t^ . ..bZAgFPDUonPb.. . .!GZQPPms

% tij6DQ9=. .%UszufL4s4mj..)5m58T

fJ^ .tXeT0kVqDF]xDqhs04GmZ

TyL*Zhe4....6!obQFUDD8i. .. :xasaePQUkSPx. . ~Fprn^ ..SFPPDbGz&$". .iyuJeFk5O4Ta$5w|i1oC8*4eG*O:. . .jcTh- ..,J=3gDOddh.. =

32^ .tWx50GGs$Ca"^=*h4xhyXWAx

zJkhqDSkG.. .Sc?c5qDPFX1:. . :hOzfOxL8dWKg. ..=khb7. .. .9PDPQ

J4GY%,. .%ghTkxOru]7wxu^.;|JnT*T&8Oh{.. .Ja$"... . . ) %mF8Feh~,. =

cc^ . #h%l[6okkL..!x0*Zq5Zqde. "VsJ*XXpJ$" . !n37.... . ;  cj1 iyACi^.. ~CCuw9LOY4Vo[i, . .?d532taFULy8 .. ."jJ$5gqpDmIs ...Dp5rrsDDFX

. .wVXQ6VKWKK#d .)qPU

CJ2nSd&uT ..!ltfdZZFk]|s....WFV3nvlwdF$. .4OPdVdQQFpxT.. ~be!. .. . .[e55T5eFVFb!. .tQpQqPGzrT&G, ..<nfnn8$ i%w^. !^... . .  o

Tf . . .... . .. .lxUhLQDdLQq7. .=$khAQS8T*4j ...:=a!i 35*8oT=. . .. . .|o]IyZFA[Ve" =

Jr^ .iDSFgpqZxh= .!QdQSTXk$&T "e%veDFPzz1 .. .... .. :~VqCtju8z2Y) ..)8k8522%$5mc; .(aO7 IsxQFV=. ."$dddDeY$

vQ. .eFQD5%kPh3>. .YZeqQPZU06uz. . . . .. . .)65OgDFAqUPu. .tTw

8LI]t.."Kh6IdPUna] . . .."${C}:...|y4$a[=sTV*| . =3ti~!1GepG . .. .ib$fC3

C5W.. nUFXSfvttCi: .. :ygPQGSDSh*gb . ..ia4h]^..|i$mVd*CAUDu.. .lhYeZVTs5&

n=.. . ...?s*n|...iPbq*Y8pA*n;. =

c%^ ..=OLCa&YIn8= ."J4L86yG4k  "DWQxDQSsIs . ..!}=oZicz{3{"rOdbA*DnyCC~ ?8kL8Oonzc2t. .=*o|"^~lZPgK . .!qDQarvuCJ2L . .ITPW#uooont... .%qPbLJSpmUPh. ...!YZYG&aDOsg2swY9ZTrD5Lu. .iDx&bFdDPPz~ . .!3Cft"!t$8J!. .. "sT*GFDXKWWS]QqQxq0hPXq^. =

nPe9e&o?iT]ao. .jQZY6TGbZgnl . ..\IVhm7=z9

YKXG.. }p*0Tm*qg.. "pSaey/^_r0Uw. .. UQh7)[y&dZ{ . .?na*kG{Cz%C!.. ;o9v%jJur=,.^)ObOuY*aOSFU^ =

f]^ ..=4OpT/gPi "VdUdUDDbUw .^5ZFDY#WzV* .*WK#qnQp". ~pbZx9T61

1oa&ApFe4gK . \hxpSFPFSWQq ..sncsA

r3^ . . .tQnQbywY4Y~ .!o&&AAAdFPs "U$%8#&Y9xb. .uPPLurVXF .. ."d*YIf5*[[G&=. !raazIas&4*7.. . . .?U

6zt.. .)dUT%LPWJv4Q . ..^J$cuttt[fkm. 22*kwaYT647.. ./3pPhwm9o5k$..i#hbbqw$IC(. .7Z&9|w?iPbg$ . > 5hSg6urIZv ;c8mw2[2JV[/.."&Z*zfwma9a= . ,iUdPFdDs(o" =

f2^ .=!/;:|SD{w$L*fI-..!ezLJ!nY49=.;"FFSO4mbdY0..XXUTT4O0PPn, "bctx*m*Ta48t. =O84$oosoG4 . . . .!}~;^!hPbaqD . ..!aTf$%L&[kmk. . ${

fJ^ ^tTnt?2mOszzqSc:^^!hmk6]i99Oo.;_Xb*50Lxd01;"TebbeV0smD]:...^u(rU0O9GLYm)...)8kV*z$cwG*%.,,.:.,:,.jKZJ~")gQFFa...,.(SQPDhV6rJ$Y....cICY&TC6C9j;,,,.^(3rzm]2Ircx8:~0Yq08m8G4hL:.:.tCCw6r(t4eZ ....[AQ&7inmwcU}.... ~m2fc9VUdg3~. =OYme8L9Tnf". ..(&0kT*Qbg), ....... =

fr" v5Zm9r*a5IqZ&^C"<eV0 CkZaTl.;<Lry04as9t13?wQDDSForn0n:^.^^uI8e0JtxGLm)...)L0Lk*T[f**],;^;^;;^^.7XDAholoDPK5..^^:>0PQPQWqrfcY:,^.rw$50O4O5n ^^^^^;t6u3sIo91c89;!zSe48*8GGAn^;^^!=$TVOTt7sa! ^^^vFq2=!sh0 01..:. ^^!12cY&40f!..=qqAew949&o!....{pV84TQDZn!...,..^^^.. . =

nu1f9"""^|5I6Ls*Skz[";^^^{6!.iY5y6iCt.;^..^!t6&L&VPkC_..)pUxT kDOGk=...:taGZs1VDSQ

^:^.;^^;;^^ . =

mCC4f9II50*f~"!t6$rii*m0w<";_CYoTmT =o%!J^"""%VSgAP0xZuo7^;"";)enÀDbu{h%^"\o7tIqDpzsTt^""^lQ4Tk8cfVdU!^"";. . ;"",. =

kC i1%CuG*Y09a=!!iSQZFbXSkz<"^!tG%jQPDDQhw9t"""jXdr1]1

iTsu%T0YO%spJuS8a~=iJOGV4Y84yf!]ZF)Tmt5APPq0mbS}~!!!()=|| lo828Dn|l

jj[]L(%Ue3dFPGt^,!t{aGxpxge8w "^)

u7^t$I%i0$!^tc%!tLAn%%}De}{2xgFU~1*ADeQg} 6pz=$5sUUD6I2c7%3sAK*

o9xPx[%uzQPh2jDFbm1GSASni=tfceerjw5DgD5oyfruu$6r|!Iz&6j=|$TV8af(tcJ$lt$osCcuT3gqZG 7 "}hPe1rfljII1S5%j%2xQQmjtoknYY8&4ekO

JJ> . .:&oLV*&":;]dG*CqmVh,..,!nGz3.!"a9ou)Y#PFFkcv%FZzyKWt.!L#DgFFgG%&pDPQWPTav=7IufeSq8kG2f2oGL

T$CIjCUb3f5DQUm1[57/%3xP4VDQh4qPPA^ ..

ckG*gC.."w0Om7bGk8^..,taw5!."^u9as~ xPpPFntcPZO0PD\..!LdDFQDAsrGDqF#4uy ^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzzn

GTy]|s9uTdSQFxyvt!kbFVJbPQaPC7sLY

^|rGXQSDQPQAAZQFFUY5IYqWWDpApFbbbUUPPFI v&O0DF3.. ."sD1 *kk!!u&Z8$zm4oI Jys$uzaoCIv!(=tba4bZdApqpqbUDSQDPwpUD0k*DUDPDDhFFADdPFqpn6*U8cVbpDi;"! wL8sz89i6z$u2

J4qAdDh3v"2ADgngQF1WO %ueQdV2WPDeDge{9xdQqgO0XZYzI*SPZD55D&GmPFFpUQPb5_^.. . . =

c3- ."~~-;. .)0m4YT~.>$&G),;"...;<1$G*dQQQpgASGYVeeAbKFgpFPqgeSx4T3tVTYheTkx3....temi*hef;^7kmhn)Y8Gaf3Iww$JJ6uc$CfcCe*xZd*eUDDPDdPx8z %nLhhe4hPphSA*O4aOmO5u6hhZg06hPAh$nVLxo4k4wwwcwr

~t)>"%dZZZFDhDd{[=: ^j!,(UZ0 ..<688d~! ra8Gowu]=|ITnYz$]2

o9$v=iifa9jw6T{..^owoT%tlkpQZd5uxDFqQ8!"yDDQF40PXx0dDZq51mDPZi;.,^ion5pFpJ5DA%sUFb3/;"9SSDUdZWK >. . =

J3- . . .VVom]^. .^7a<: . . <[3^ .;^-ir80&Vk5T!.."";,.sDSDpUFPhQb(! ! ^".. UG4~ ^C8*8 "t58*8o6fu3cJv=!?ticTghSV0GJti;;^

yak="xPDF4?}gFFFPTi"^. ,"$DYpG5k&kAd&6a*&e*6$uII 7 I$?%soy!. ;$56yf^.|GApbF4yqPbDs/!pDXFg=2xQbVUQLkYahdgd)=?tlv3ossan!OQPu|pDDD{^.^!iaZPeXgxy/ . =

sa]!;)ayCIu*mCtry3UKP9kD6!ipQbn|vbAZDgdsxQK6!QDD(. :"=9dQUS!.  7#dd*ADQPWe7^.^;,t^^o8mc(.^!=  ]2tCCIz4QPbgQQFdphV8ObQQFFDpAGr="iap4xVori!^;,....:,. ."^.hSF[. .y#KA

. .. . =

2%! .=V]^. : .^lmUgpgG5=,^GbAS"JgW^:iYeASgV;.;jAZs"..^~( .;~_, .. . .z3Iy^:..ukT7 2Y&o^^i8KK8$qp4\"eFPh~^"~9GZg5PDXs!mqP

 "t7(FPQpxn[!;. . ...ZD#i >fSD[^.. ... =

PDS^."LFQK . ;:^_gKC7&taFF=. ..^!",?S9qb(.."C&PPA6\.:..:i;!x8=... . "$C; .vOZDxzPP1=4Qx~:... . ^;:(FDAL5UQdk?;.. . .nXP" . ;wh7^. . . =

fJ! ^=. ...^jqx&a(!;. .vgFSi^.^wd!kdgw\.. .thg!. . ..:;. .. )08z ^&*T^ .!T6o!5h!!23FPU!.. QdX9;. :..;e&!_~= hX . ...;,^^~u?2Xy;..^!tyDxI; . .!.^3dI". . .:=2:. ."qU#pi3QAC^^=mz^ . .^.,\DFg47LpDPO ".. .

JJ! ."_. . ,;=v{t~"... ^Vbh0". :tauqgn!. .. ,tQ&^... .. . . ."n*{ ..^G9J; :;wyuc6 ,.!lDUAt^.!eFK8>. ...;h|...:"yX]^. .^ ..~ ;?gQ=.. .."J*q=. .."..<JOt. . ." . .;6dQUt!4p)t"...)!. ..;, .>gp#Z=t*DQFh1; . . .re%, ;0L!. . =

 &PQD).. .jz". . ..!i|, =

3r! .. . . . .. ..IZP|.. .:"!". . .^9e; .. .. . .^{~ .=Ti^. ~a2z^ . ."SPh %".^iXAg{. ^;. ,nx<. . . ... .=#Z!. . .. . . ^!^ . . . .=F8=: .8t:. ;^.. .;^:. "^igDl .!nDAI^.. . =_. . . . ;!; .. =

cc! . .. .. .^kI-... ...". . .." ^.. . . . . . . ^^ ..(!:. .,{aw! . ^SKI,:"; .uPPG^. . . .. .!G>. . . .. . :$x).. . .. . .. :. . . . ..!~^. .". ."". ... . ^.^1b

", . ". . .. .:.. =

crt??()iii    it  ttt iiititi itt   |?()(|?|)(?(?()??(|)((?|)||)))(|?()?)()()?)?()|))|?)?|)|)|||||)(?|?=?====()?======)l====|})============ ==================================================================================================||=)=========================================i

sIRC4.exe

C:\marijuana.txt

uk.undernet.org

CMDR

JOIN

iu2.iu

kernel32.dll

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

WinExec

wsock32.dll

3L4O4W4

8-8M8e8o8v8}8

KWindows

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:1504
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\System32\DC Share\cpan2.exe (15624 bytes)
C:\Windows\System32\DC Share\cpanp-run-perl.exe (295596 bytes)
C:\Windows\System32\DC Share\find2perl.exe (97628 bytes)
C:\Windows\System32\DC Share\lwp-download.exe (10815 bytes)
C:\Windows\System32\DC Share\dbip.exe (112407 bytes)
C:\Windows\System32\DC Share\json_pp.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-guide.exe (10815 bytes)
C:\Windows\System32\DC Share\h2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\dbi.exe (10815 bytes)
C:\Windows\System32\DC Share\instmodsh.exe (10815 bytes)
C:\Windows\System32\DC Share\libnetcfg.exe (218874 bytes)
C:\Windows\System32\DC Share\dbilogstrip.exe (10815 bytes)
C:\Windows\System32\DC Share\dbilogs.exe (288229 bytes)
C:\Windows\System32\DC Share\h2ph.exe (10815 bytes)
C:\Windows\System32\sIRC4.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\%original file name%.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\a2p.exe (67541 bytes)
C:\Windows\System32\DC Share\c.exe (26439 bytes)
C:\Windows\System32\DC Share\core.exe (30090 bytes)
C:\Windows\System32\DC Share\cpanp-run-.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-down.exe (10815 bytes)
C:\Windows\System32\DC Share\config_data.exe (30090 bytes)
C:\Windows\System32\DC Share\c2ph.exe (195772 bytes)
C:\Windows\System32\DC Share\cpan.exe (30090 bytes)
C:\Windows\System32\DC Share\exetype.exe (106067 bytes)
C:\Windows\System32\DC Share\cpanp.exe (142131 bytes)
C:\marijuana.txt (82344 bytes)
C:\Windows\System32\DC Share\en.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-user-g.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-co.exe (67541 bytes)
C:\Windows\System32\DC Share\html.exe (226845 bytes)
C:\Windows\System32\DC Share\cpan2dist.exe (15624 bytes)
C:\Windows\System32\xdccPrograms\autoexec.exe (210194 bytes)
C:\Windows\System32\xdccPrograms\ap-update-.exe (52239 bytes)
C:\Windows\System32\DC Share\corelist.exe (30090 bytes)
C:\Windows\System32\xdccPrograms\ap-update-html.exe (52239 bytes)
C:\Windows\System32\DC Share\dbiproxy.exe (10815 bytes)
C:\Windows\System32\xdccPrograms\ap-iis-config.exe (52239 bytes)
C:\Windows\System32\DC Share\htmltree.exe (74517 bytes)
C:\Windows\System32\DC Share\lwp-.exe (210917 bytes)
C:\Windows\System32\DC Share\lwp-dump.exe (68238 bytes)
C:\Windows\System32\DC Share\dbiprof.exe (265470 bytes)
C:\Windows\System32\DC Share\crc32.exe (10815 bytes)
C:\Windows\System32\DC Share\enc2xs.exe (10815 bytes)
C:\Windows\System32\DC Share\lwp-mi.exe (10815 bytes)
Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "Explorer.exe sIRC4.exe"