Virus.Win32.Duel_09642da5bc

by malwarelabrobot on May 4th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), MemScan:Backdoor.Agent.ZQA (B) (Emsisoft), MemScan:Backdoor.Agent.ZQA (AdAware), Virus.Win32.Duel.FD, GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Backdoor, Worm, EmailWorm, Virus, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 09642da5bc41c0c6032a300b38d07f30
SHA1: 4f16cab4698380e78d4b1af8a853faa0ef1ce3c9
SHA256: 592285bcbfaa37d4a9a9db6dd99c3210a00ddbd17eed237e807e9443fd63ef4c
SSDeep: 768:XHqz4XsbDUuy0mJFqSpLxFSgQIa8NPtO3j3ogMSsvLODAr:a5bQl64asP6zn
Size: 60929 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Piriform Ltd
Created at: 2015-04-06 11:18:54
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Virus creates the following process(es):

%original file name%.exe:248
dwwin.exe:1372
wuauclt.exe:304

The Virus injects its code into the following process(es):

araayzi.cmd:1296

File activity

The process araayzi.cmd:1296 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\WindowsUpdt.exe (19 bytes)

The process %original file name%.exe:248 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aiajij.aiqajyrr (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\74a9_appcompat.txt (6214 bytes)
%WinDir%\xwrm.exe (60 bytes)

The process dwwin.exe:1372 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD6VKPAZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\481CF.dmp (71707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8H2N0DQR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPI3G5Y7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LABC5QF\desktop.ini (67 bytes)

The process wuauclt.exe:304 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Virus deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

Registry activity

The process araayzi.cmd:1296 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 48 D0 89 B3 10 2F EC 64 69 0A FB 91 06 4C E6"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

The process %original file name%.exe:248 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The Virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process dwwin.exe:1372 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 1F A6 6B 2C 53 ED 3C DF 94 89 E8 CD 48 0F 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
342a6fb7a54b0b388f13593be0b0314c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\aiajij.aiqajyrr
aae37ad72f817dea8845ff32d16a8ba0 c:\WINDOWS\system32\WindowsUpdt.exe
342a6fb7a54b0b388f13593be0b0314c c:\WINDOWS\xwrm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
aiyyrjbi 4096 4096 1536 0.704545 e71be766b5dffd45bb584203310e0fc3
jirbayqa 8192 57344 55296 4.91801 bff11c0f61e5a0c9898919f42fab0851
jyyjaryj 65536 4096 512 0.468013 dd766bd3556eda6b66f2d7b6ec1b0e21
qqaybzaa 69632 4096 2048 4.10575 677f0a894d5ff2f6c088f025736ee3d8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
irc.undernet.org 91.236.182.1


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 14
ET CNC Shadowserver Reported CnC Server IP group 45
ET CHAT IRC PONG response
ET CHAT IRC PING command
ET CHAT IRC NICK command
ET CHAT IRC USER command

Traffic

%original file name%.exe_248:

\xwrm.exe
%WinDir%\xwrm.exe
Software\Microsoft\Windows\CurrentVersion\Run
USER %s 8 * :%s
NICK %s
PONG %s
JOIN #england
PRIVMSG #england :.-:[X-Worm]:-.
irc.undernet.org
MAIL FROM:<%s>
RCPT TO:<%s>
--%s--
From:<%s>
To: %s
Subject:%s
boundary="%s"
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
charset="windows-1255"
name= "%s%s"
Content-Disposition: attachment; filename="%s%s"
Support
No.reply
8.txtt:
8.htmt2
8.rtft*
8.doct"
8.bdxt
8.phpt
8.jspt
8.cgit
smtp
ws2_32.dll
ADVAPI32.DLL
RegOpenKeyExA
RegCloseKey
User32.dll
fs_snap.exe
arnsec.exe
ISABL~1.EXE
8.exe
8.scrtt
8.avitJ
8.doctB
8.mp3t:
8.mpgt2
8.xlst*
8.jpgt"
8.zipt
8.isot
8.pdft
8.pptt
8.rart
D:\fs_snap.exe
SFC.DLL
Pyaiyja.jybr
D:\yaiyja.jybr
ReadMe.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\aiajij.aiqajyrr
WinExec
GetWindowsDirectoryA
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
araayzi.cmd
.text
.rsrc
gu>%uM
~nt.ex
CrToMaPh
hPRIVMSG %s :
kernel32.dll
.%suld nb
KERNEL32.dll
2'3.3`3}3
0M1e1w1}1-2x2

araayzi.cmd_1296:

.text
.rsrc
\WindowsUpdt.exe
irc.undernet.org
__MSVCRT_HEAP_SELECT
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
InternetOpenUrlA
WININET.dll
GetCPInfo
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
1.exe
-!download_exe
PRIVMSG %s :Login Success
-!login
PRIVMSG
%*s %s %*s %s %s %s
MODE %s  nsk %s
JOIN %s %s
PONG %s
NICK %s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
5241690091
D:\araayzi.cmd
kernel32.dll
.%suld nb

araayzi.cmd_1296_rwx_00401000_0000F000:

\WindowsUpdt.exe
irc.undernet.org
__MSVCRT_HEAP_SELECT
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
InternetOpenUrlA
WININET.dll
GetCPInfo
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
1.exe
-!download_exe
PRIVMSG %s :Login Success
-!login
PRIVMSG
%*s %s %*s %s %s %s
MODE %s  nsk %s
JOIN %s %s
PONG %s
NICK %s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
5241690091
D:\araayzi.cmd
kernel32.dll
.%suld nb


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:248
    dwwin.exe:1372
    wuauclt.exe:304

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %System%\WindowsUpdt.exe (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aiajij.aiqajyrr (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\74a9_appcompat.txt (6214 bytes)
    %WinDir%\xwrm.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GD6VKPAZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\481CF.dmp (71707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8H2N0DQR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CPI3G5Y7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0LABC5QF\desktop.ini (67 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2232 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WihdowsUpdate" = "%System%\WindowsUpdt.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "x32x" = "%WinDir%\xwrm.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now