Categories: Malware

What is “Exploit:Win32/DDEDownloader!ml”?

The Exploit:Win32/DDEDownloader!ml is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Exploit:Win32/DDEDownloader!ml virus can do?

Executable code extraction
Creates RWX memory
Expresses interest in specific running processes
Reads data out of its own binary image
Drops a binary and executes it
Detects Sandboxie through the presence of a library
Checks for the presence of known windows from debuggers and forensic tools
The following process appear to have been packed with Themida: 6.exe, lv.exe, 4.exe
Network activity detected but not expressed in API logs
Attempts to identify installed AV products by installation directory
Checks for the presence of known devices from debuggers and forensic tools
Detects the presence of Wine emulator via registry key
Checks the version of Bios, possibly for anti-virtualization
Detects VirtualBox through the presence of a registry key
Anomalous binary characteristics

How to determine Exploit:Win32/DDEDownloader!ml?


File Info:
crc32: F935C474md5: b50087cc5e9bd6ba7f675ffc7baaa51cname: B50087CC5E9BD6BA7F675FFC7BAAA51C.mlwsha1: 46f8a0bcb299ee4cedfbfe69d465f30c99d8f486sha256: 2170c3133ee9e4ea8546a695ac58ada27602dc24d56f573cffac9aa3c69adff6sha512: 543dff1ca2edfb099abecf6eb2c99f716fcfc2c71968db59f56b75cf04c28acc58ae4c8a8c6a9bca6411fa601b757f460fb27166b482184ad795d24466ffe17essdeep: 98304:tLHu1g6D70sCZa9eNz9MkS7HSLs6igh/2/OEvEvI1fUj756vaO7fGPDEkbnBHmyp:tj6Ya9eNa77HSLs/CL6V1fUApGbEkLBBtype: PE32 executable (GUI) Intel 80386, for MS Windows
Version Info:
LegalCopyright: HolaroksProductVersion: 5.61.47.0FileVersion: 5.61.47.0FileDescription: Translation: 0x0000 0x04b0

Exploit:Win32/DDEDownloader!ml also known as:

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.44991706
FireEye	Generic.mg.b50087cc5e9bd6ba
ALYac	Trojan.GenericKD.44991706
Malwarebytes	Trojan.MalPack.Themida
Sangfor	Malware
K7AntiVirus	Trojan ( 0056e5201 )
BitDefender	Trojan.GenericKD.44991706
K7GW	Trojan ( 0056e5201 )
Cyren	W32/Agent.BXE.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan-Dropper.Win32.Scrop.vho
Alibaba	Packed:Win32/Themida.67521eac
AegisLab	Trojan.Win32.Scrop.b!c
Rising	Trojan.Generic@ML.100 (RDMK:45M0Mwd4aqZKrFVFvAKLyA)
Ad-Aware	Trojan.GenericKD.44991706
Emsisoft	Trojan.GenericKD.44991706 (B)
Comodo	Malware@#23ifvd2vmmucb
F-Secure	Heuristic.HEUR/AGEN.1102892
DrWeb	Trojan.PWS.Stealer.29663
McAfee-GW-Edition	BehavesLike.Win32.Dropper.tc
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.Themida
Webroot	W32.Trojan.Gen
Avira	TR/Drop.Scrop.muyim
MAX	malware (ai score=88)
Microsoft	Exploit:Win32/DDEDownloader!ml
Arcabit	Trojan.Generic.D2AE84DA
ZoneAlarm	HEUR:Trojan-Dropper.Win32.Scrop.vho
GData	Win32.Trojan-Stealer.CoinStealer.8AU0ZT
Cynet	Malicious (score: 100)
AhnLab-V3	Malware/Win32.Generic.C4261745
McAfee	Artemis!B50087CC5E9B
VBA32	TScope.Malware-Cryptor.SB
Cylance	Unsafe
Panda	Trj/CI.A
ESET-NOD32	multiple detections
TrendMicro-HouseCall	TROJ_GEN.R002H0CLC20
SentinelOne	Static AI – Suspicious PE
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Generic!tr
BitDefenderTheta	Gen:NN.ZexaF.34688.TzWaai!blde
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
Qihoo-360	Win32/Trojan.Dropper.273