» windgdotm7_1692
Overview
Analysis
File Details
Downloads (1)

windgdotm7_1692

winsys

The file windgdotm7_1692 by winsys has been detected as adware by 17 anti-malware scanners. This is a trojan Bot that uses IRC to communicate with a comand and control network. The Trojan drops other malicious software and opens a backdoor on the infected computer and will run automatically on each boot. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from down.windgdo.com.

File name:

windgdotm7_1692

Publisher:

winsys (signed and verified)

MD5:

c5f50baac5503cc04607595a488a9d3c

SHA-1:

fe4d1c3d0b3615a7946d2597e1443b450afa6a57

SHA-256:

9688b411eb81d0859d63a97eab4faffeae561f133e090ee80a18f5a88f85c6e1

Scanner detections:

17 / 68

Status:

Adware

Explanation:

Part of a backdoor IRC bot network.

Analysis date:

5/10/2024 10:05:50 PM UTC (today)

Scan engine

Detection

Engine version

AhnLab V3 Security

PUP/Win32.WindoGuide

2015.03.20

Avira AntiVirus

TR/Crypt.TPM.Gen

7.11.218.126

avast!

Win32:Adware-gen [Adw]

2014.9-150323

Comodo Security

ApplicUnwnt

21464

ESET NOD32

Win32/AdWare.KeywordFind (variant)

9.11346

Fortinet FortiGate

Riskware/KeywordFind

3/23/2015

F-Prot

W32/Themida_Packed

v6.4.7.1.166

G Data

Win32.Application.Agent.TL3PGC

15.3.25

K7 AntiVirus

Adware

13.202.15316

McAfee

Artemis!C5F50BAAC550

5600.6817

NANO AntiVirus

Trojan.Win32.Bifrose.djeicz

0.30.8.659

Qihoo 360 Security

HEUR/QVM19.1.Malware.Gen

1.0.0.1015

Reason Heuristics

PUP.winsys

15.3.23.22

Sophos

Generic PUA PO

4.98

Trend Micro House Call

TROJ_GEN.R02SC0EAV15

7.2.82

Trend Micro

TROJ_GEN.R02SC0EAV15

10.465.23

VIPRE Antivirus

Backdoor.Win32.Ircbot.gen

38570

File size:

967.5 KB (990,768 bytes)

Common path:

C:\users\{user}\appdata\local\temp\windgdotm7_1692

Digital Signature

Signed by:

winsys

Authority:

Thawte, Inc.

Valid from:

9/4/2013 9:00:00 AM

Valid to:

9/5/2015 8:59:59 AM

Subject:

CN=winsys, OU=Dev. Team, O=winsys, L=Gangnam-gu, S=SEOUL, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

53E706A67C7D616DD8A05245E798A712

File PE Metadata

Compilation timestamp:

6/20/1992 7:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

24576:39USUKdMddO+NdrwJ/KrF1sF3uXGnZxAR7+ebrW8cBWp:39USUKOdOsdctpnoRCeO8ce

Entry address:

0x218000

Entry point:

83, EC, 04, 50, 53, E8, 01, 00, 00, 00, CC, 58, 8B, D8, 40, 2D, 00, 80, 0B, 00, 2D, 5D, 36, 5F, 00, 05, 52, 36, 5F, 00, 80, 3B, CC, 75, 19, C6, 03, 00, BB, 00, 10, 00, 00, 68, 68, 4B, 6E, 1F, 68, 8E, E0, 48, 11, 53, 50, E8, 0A, 00, 00, 00, 83, C0, 00, 89, 44, 24, 08, 5B, 58, C3, 55, 8B, EC, 60, 8B, 75, 08, 8B, 4D, 0C, C1, E9, 02, 8B, 45, 10, 8B, 5D, 14, EB, 08, 31, 06, 01, 1E, 83, C6, 04, 49, 0B, C9, 75, F4, 61, C9, C2, 10, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

7.5167

Code size:

403 KB (412,672 bytes)

The file windgdotm7_1692 has been seen being distributed by the following URL.

http://down.windgdo.com/wdg3/.../windgdou.exe

Remove windgdotm7_1692 - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.