windgdotm7_1692

winsys

The file windgdotm7_1692 by winsys has been detected as adware by 17 anti-malware scanners. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from down.windgdo.com.
Publisher:
winsys  (signed and verified)

MD5:
c5f50baac5503cc04607595a488a9d3c

SHA-1:
fe4d1c3d0b3615a7946d2597e1443b450afa6a57

SHA-256:
9688b411eb81d0859d63a97eab4faffeae561f133e090ee80a18f5a88f85c6e1

Scanner detections:
17 / 68

Status:
Adware

Explanation:
Part of a backdoor IRC bot network.

Analysis date:
12/26/2024 4:29:57 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.WindoGuide
2015.03.20

Avira AntiVirus
TR/Crypt.TPM.Gen
7.11.218.126

avast!
Win32:Adware-gen [Adw]
2014.9-150323

Comodo Security
ApplicUnwnt
21464

ESET NOD32
Win32/AdWare.KeywordFind (variant)
9.11346

Fortinet FortiGate
Riskware/KeywordFind
3/23/2015

F-Prot
W32/Themida_Packed
v6.4.7.1.166

G Data
Win32.Application.Agent.TL3PGC
15.3.25

K7 AntiVirus
Adware
13.202.15316

McAfee
Artemis!C5F50BAAC550
5600.6817

NANO AntiVirus
Trojan.Win32.Bifrose.djeicz
0.30.8.659

Qihoo 360 Security
HEUR/QVM19.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.winsys
15.3.23.22

Sophos
Generic PUA PO
4.98

Trend Micro House Call
TROJ_GEN.R02SC0EAV15
7.2.82

Trend Micro
TROJ_GEN.R02SC0EAV15
10.465.23

VIPRE Antivirus
Backdoor.Win32.Ircbot.gen
38570

File size:
967.5 KB (990,768 bytes)

Common path:
C:\users\{user}\appdata\local\temp\windgdotm7_1692

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
9/4/2013 9:00:00 AM

Valid to:
9/5/2015 8:59:59 AM

Subject:
CN=winsys, OU=Dev. Team, O=winsys, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
53E706A67C7D616DD8A05245E798A712

File PE Metadata
Compilation timestamp:
6/20/1992 7:22:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:39USUKdMddO+NdrwJ/KrF1sF3uXGnZxAR7+ebrW8cBWp:39USUKOdOsdctpnoRCeO8ce

Entry address:
0x218000

Entry point:
83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 80, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 68, 4B, 6E, 1F, 68, 8E, E0, 48, 11, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.5167

Code size:
403 KB (412,672 bytes)

The file windgdotm7_1692 has been seen being distributed by the following URL.

Remove windgdotm7_1692 - Powered by Reason Core Security