home

reader_sl.exe

AkelPad

The executable reader_sl.exe, “AkelPad (x86) text editor” has been detected as malware by 25 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Rwdmdd’. This worm can steal user names and passwords by monitoring network communication, block websites, and launch a denial of service (DoS) attack.
Product:
AkelPad

Description:
AkelPad (x86) text editor

Version:
0, 0, 0, 0

MD5:
89c736dbc7d0ec3c9002af1e21c78c59

SHA-1:
5ec8c000e53a5482871140e13f228a2de719bb0b

SHA-256:
b1654ffe67d85e22edd1a7f6c0bc6318f21032fa29a577dc8e06f5085ff5bd35

Scanner detections:
25 / 68

Status:
Malware

Analysis date:
4/19/2024 3:25:08 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.1767454
918

AhnLab V3 Security
Dropper/Win32.Necurs
2014.07.23

Avira AntiVirus
TR/Crypt.Xpack.90996
7.11.163.130

avast!
Win32:Malware-gen
2014.9-140731

AVG
BackDoor.SmallX
2015.0.3396

Baidu Antivirus
Worm.Win32.Ngrbot
4.0.3.14731

Bitdefender
Trojan.GenericKD.1767454
1.0.20.1060

Bkav FE
HW32.Laneul
1.3.0.4959

Dr.Web
Trojan.Betabot.3
9.0.1.0212

Emsisoft Anti-Malware
Trojan.GenericKD.1767454
8.14.07.31.04

ESET NOD32
Win32/Dorkbot
8.10139

Fortinet FortiGate
W32/Dorkbot.B!worm
7/31/2014

F-Secure
Trojan.GenericKD.1767454
11.2014-31-07_5

G Data
Trojan.GenericKD.1767454
14.7.24

Kaspersky
Worm.Win32.Ngrbot
14.0.0.3477

Malwarebytes
Trojan.Ransom.ED
v2014.07.31.04

McAfee
Artemis!89C736DBC7D0
5600.7052

Microsoft Security Essentials
Worm:Win32/Dorkbot.I
1.10802

MicroWorld eScan
Trojan.GenericKD.1767454
15.0.0.636

NANO AntiVirus
Trojan.Win32.Androm.dcncqe
0.28.2.60990

Panda Antivirus
Trj/Genetic.gen
14.07.31.04

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R0CBC0DGM14
7.2.212

Trend Micro
TROJ_GEN.R0CBC0DGM14
10.465.31

VIPRE Antivirus
Trojan.Win32.Generic
31516

File size:
209.5 KB (214,528 bytes)

Product version:
0, 0, 0, 0

Copyright:
Copyright © AkelSoft 2003-2011

Original file name:
AkelPad.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\reader_sl.exe

File PE Metadata
Compilation timestamp:
7/31/2014 4:28:03 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:djmKgbVOU5jwDIBoUBcLbjwvvnX5Yg14RVaaGVCYnCO3a2/adWxRp:djvSoRPYvJzbroON4Wx

Entry address:
0x396B

Entry point:
E8, 1F, 7B, 00, 00, E9, 1E, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, 33, C9, 3B, 04, CD, 08, A2, 41, 00, 74, 13, 41, 83, F9, 2D, 72, F1, 8D, 48, ED, 83, F9, 11, 77, 0E, 6A, 0D, 58, 5D, C3, 8B, 04, CD, 0C, A2, 41, 00, 5D, C3, 05, 44, FF, FF, FF, 6A, 0E, 59, 3B, C8, 1B, C0, 23, C1, 83, C0, 08, 5D, C3, E8, B1, 1C, 00, 00, 85, C0, 75, 06, B8, 70, A3, 41, 00, C3, 83, C0, 08, C3, E8, 9E, 1C, 00, 00, 85, C0, 75, 06, B8, 74, A3, 41, 00, C3, 83, C0, 0C, C3, 8B, FF, 55, 8B, EC, 56, E8, E2, FF, FF, FF, 8B, 4D, 08...
 
[+]

Entropy:
7.3707

Code size:
72.5 KB (74,240 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Rwdmdd

Command:
C:\users\{user}\appdata\roaming\microsoft\windows\rwdmdd.exe


Remove reader_sl.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.