Virus.Win32.Duel_d8369e8825

by malwarelabrobot on May 5th, 2014 in Malware Descriptions.

Susp_Dropper (Kaspersky), MemScan:Backdoor.Agent.ZQA (B) (Emsisoft), MemScan:Backdoor.Agent.ZQA (AdAware), Virus.Win32.Duel.FD, GenericEmailWorm.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Backdoor, Worm, EmailWorm, Virus, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d8369e882546f3dc3772030d1bea3650
SHA1: 4d5bbd70469a40929831e5698058d35b43fe3407
SHA256: bfecd161e97dd9b4d8812b26e39f3020d1d0a88d39e85dea2597907d350923ba
SSDeep: 1536:vlrtIPBliPYp6L9 LjGWUEnKyg8ayNYd0LP:vlePB8Y6LsLCWUupv
Size: 60929 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: no data
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Virus creates the following process(es):

dwwin.exe:276
%original file name%.exe:1716

The Virus injects its code into the following process(es):

yyyryry.cmd:224

File activity

The process dwwin.exe:276 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FAC44.dmp (71722 bytes)

The process %original file name%.exe:1716 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\xwrm.exe (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a0dc_appcompat.txt (6214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iirqbiqj (60 bytes)

The process yyyryry.cmd:224 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%System%\WindowsUpdt.exe (19 bytes)

Registry activity

The process dwwin.exe:276 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 36 FE 1F 55 65 2D 30 C2 25 03 B7 C1 B1 6B CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1716 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"x32x" = "%WinDir%\xwrm.exe"

The Virus deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process yyyryry.cmd:224 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 3A 50 07 11 C2 E5 CC AB 01 0A 48 04 7C BB FD"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WihdowsUpdate" = "%System%\WindowsUpdt.exe"

Dropped PE files

MD5 File path
9cace49f24aa9a2f4f0a29abc4b6ca3c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\yjrrzi.iirqbiqj
aae37ad72f817dea8845ff32d16a8ba0 c:\WINDOWS\system32\WindowsUpdt.exe
9cace49f24aa9a2f4f0a29abc4b6ca3c c:\WINDOWS\xwrm.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
zzyiqqya 4096 4096 1536 0.853894 dd69678e59a7530e7c30e5722ddf3b4a
zaayqyaj 8192 57344 55296 4.95233 a47e4c596fd3346a6f090785d3429a7e
qiaqjjrr 65536 4096 512 0.468013 dd766bd3556eda6b66f2d7b6ec1b0e21
zqyjaaar 69632 4096 2048 4.10575 677f0a894d5ff2f6c088f025736ee3d8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
irc.undernet.org 91.236.182.1


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 3
ET CNC Shadowserver Reported CnC Server IP group 45
ET CHAT IRC USER command
ET CHAT IRC PONG response
ET CHAT IRC PING command
ET CHAT IRC NICK command

Traffic

%original file name%.exe_1716:

;eE%f;
\xwrm.exe
%WinDir%\xwrm.exe
Software\Microsoft\Windows\CurrentVersion\Run
USER %s 8 * :%s
NICK %s
PONG %s
JOIN #england
PRIVMSG #england :.-:[X-Worm]:-.
irc.undernet.org
MAIL FROM:<%s>
RCPT TO:<%s>
--%s--
From:<%s>
To: %s
Subject:%s
boundary="%s"
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
charset="windows-1255"
name= "%s%s"
Content-Disposition: attachment; filename="%s%s"
Support
No.reply
8.txtt:
8.htmt2
8.rtft*
8.doct"
8.bdxt
8.phpt
8.jspt
8.cgit
smtp
ws2_32.dll
ADVAPI32.DLL
RegOpenKeyExA
RegCloseKey
User32.dll
fs_snap.exe
arnsec.exe
ISABL~1.EXE
8.exe
8.scrtt
8.avitJ
8.doctB
8.mp3t:
8.mpgt2
8.xlst*
8.jpgt"
8.zipt
8.isot
8.pdft
8.pptt
8.rart
D:\fs_snap.exe
SFC.DLL
Pjjaiqq.rrzr
D:\jjaiqq.rrzr
ReadMe.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\yjrrzi.iirqbiqj
WinExec
GetWindowsDirectoryA
FPTBAWDRF-INOCPANDANTIAMONN32SNOD3NPSSSMSSSCANZONEPROTMONIRWEBMIRCCKDOTROJSAFEJEDITRAYANDASPIDPLORNDLLTRENNSPLNSCHSYSTALERj
yyyryry.cmd
.text
.rsrc
gu>%uM
~nt.ex
CrToMaPh
hPRIVMSG %s :
kernel32.dll
.%suld nb
KERNEL32.dll
2'3.3`3}3
0M1e1w1}1-2x2

yyyryry.cmd_224:

.text
.rsrc
\WindowsUpdt.exe
irc.undernet.org
__MSVCRT_HEAP_SELECT
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
InternetOpenUrlA
WININET.dll
GetCPInfo
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
1.exe
-!download_exe
PRIVMSG %s :Login Success
-!login
PRIVMSG
%*s %s %*s %s %s %s
MODE %s  nsk %s
JOIN %s %s
PONG %s
NICK %s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
2372057707
D:\yyyryry.cmd
kernel32.dll
.%suld nb

yyyryry.cmd_224_rwx_00401000_0000F000:

\WindowsUpdt.exe
irc.undernet.org
__MSVCRT_HEAP_SELECT
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
WS2_32.dll
InternetOpenUrlA
WININET.dll
GetCPInfo
url1.dat
PRIVMSG %s :Operations Stoped
PRIVMSG %s :Wasting %s
PRIVMSG %s :Udp Floding %s
-!udp_flood
PRIVMSG %s :%s Downloaded&executed
1.exe
-!download_exe
PRIVMSG %s :Login Success
-!login
PRIVMSG
%*s %s %*s %s %s %s
MODE %s  nsk %s
JOIN %s %s
PONG %s
NICK %s
USER %s 8 * :%s
Software\Microsoft\Windows\CurrentVersion\Run
2372057707
D:\yyyryry.cmd
kernel32.dll
.%suld nb


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:276
    %original file name%.exe:1716

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %Documents and Settings%\%current user%\Local Settings\Temp\FAC44.dmp (71722 bytes)
    %WinDir%\xwrm.exe (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a0dc_appcompat.txt (6214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yjrrzi.iirqbiqj (60 bytes)
    %System%\WindowsUpdt.exe (19 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "x32x" = "%WinDir%\xwrm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WihdowsUpdate" = "%System%\WindowsUpdt.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now