Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 28864 KB
File Type : Portable Executable 32
File Name

virussign.com_0e24cc74bbb7b6a97334a49f9ad81680.vir

MD5

0e24cc74bbb7b6a97334a49f9ad81680

SHA1

7d201b991fd247e2851438503369ee59e4d6eb10

SHA256

ffba3d9e9acb1747dca0797386bcb4cf83f2519e530b91c5ea

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\7 June 2016\New folder\Sample\0e24cc74bbb7b6a97334a49f9ad81680.exe

Changes to registry :

* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Daemon
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\0e24cc74bbb7b6a97334a49f9ad81680_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\services_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "JavaVM=C:\Windows\java.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00570069006E0064006F00770073005C006A006100760061002E006500780065000000
* Creates value "Services=C:\Windows\services.exe" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
binary data=43003A005C00570069006E0064006F00770073005C00730065007200760069006300650073002E006500780065000000
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C00000000000000000906BCC7702000000010000005030312E3F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F121D000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000"
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0030006500320034006300630037003400620062006200370062003600610039005F006500650037006100630036006500330061003100340062003400380063003600660031006100640038003900370037006300630063003700340036006300360035006500350063003900370066005F006300610062005F00300062003700390034003500620037000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Creates Registry key HKEY_CURRENT_USER\software\Microsoft\Daemon
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=4600000025000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000023000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F"
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0030006500320034006300630037003400620062006200370062003600610039005F006500650037006100630036006500330061003100340062003400380063003600660031006100640038003900370037006300630063003700340036006300360035006500350063003900370066005F006300610062005F00300062003700390034003500620037000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Windows\java.exe
* Creates file C:\Windows\services.exe
* Creates file C:\Users\cognus\AppData\Local\CrashDumps\0e24cc74bbb7b6a97334a49f9ad81680.exe.3608.dmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7\Report.wer
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7\WER3746.tmp.appcompat.txt
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7\WER388E.tmp.WERInternalMetadata.xml
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7\WER390C.tmp.hdmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_0e24cc74bbb7b6a9_ee7ac6e3a14b48c6f1ad8977ccc746c65e5c97f_cab_0b7945b7\WER406D.tmp.mdmp
* Creates file C:\Users\cognus\AppData\Local\Temp\odobg1ncJ.log
* Creates file C:\Users\cognus\AppData\Local\Temp\zincite.log

Network services:

* Backdoor functionality on port 1034.
* Queries DNS "mail.revouninstaller.com".
* Queries DNS "dns.msftncsi.com".
* C:\Users\cognus\Desktop\Analyzed Viruses\7 June 2016\New folder\Sample\0e24cc74bbb7b6a97334a49f9ad81680.exe Connects to "104.130.54.195" on port 25 (TCP - SMTP).

Process/window/string information:

* Gets user name information.
* Checks for debuggers.
* Creates process "null, "C:\Windows\services.exe", null".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\drive\C\Windows\services.exe".
* Opens a service named "rasman".
* Opens a service named "Sens".
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 3608 -s 876, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess3608".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\b9026083-2ca3-11e6-8abd-000c29ba35ca".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.
* Sleeps 161 seconds.

Additional Information:

How To Remove virussign.com_0e24cc74bbb7b6a97334a49f9ad81680.vir

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where virussign.com_0e24cc74bbb7b6a97334a49f9ad81680.vir located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top