Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 359936 KB
File Type : Portable Executable 32
File Name

virussign.com_6dd17acf387b5b72f630c7cb77c67e80.vir

MD5

6dd17acf387b5b72f630c7cb77c67e80

SHA1

79a0fdb879297545bfa51006de310d819b84ec85

SHA256

ffe60d2673f10aa6564f1a8391b7410701a8cd1656b9c6e7aa

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\6dd17acf387b5b72f630c7cb77c67e80.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C0000000000000000085A4120002000000010000004000B6763F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000BF7F4000000000006CF01200" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F121D000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000"
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0036006400640031003700610063006600330038003700620035006200370032005F00370062006600630037006300630032003400390032003600620063003600330063003800330036003500350062006200360061003400340064006600370031006200620035003400340034005F006300610062005F00300063006100320063006200380061000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0036006400640031003700610063006600330038003700620035006200370032005F00370062006600630037006300630032003400390032003600620063003600330063003800330036003500350062006200360061003400340064006600370031006200620035003400340034005F006300610062005F00300063006100320063006200380061000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Users\cognus\AppData\Local\CrashDumps\6dd17acf387b5b72f630c7cb77c67e80.exe.1680.dmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a\Report.wer
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a\WERBF0C.tmp.appcompat.txt
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a\WERC064.tmp.WERInternalMetadata.xml
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a\WERC101.tmp.hdmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_6dd17acf387b5b72_7bfc7cc24926bc63c83655bb6a44df71bb5444_cab_0ca2cb8a\WERC729.tmp.mdmp

Network services:

* No changes

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 1680 -s 220, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess1680".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\e7460959-2be3-11e6-a9a5-000c29ba35ca".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove virussign.com_6dd17acf387b5b72f630c7cb77c67e80.vir

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where virussign.com_6dd17acf387b5b72f630c7cb77c67e80.vir located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top