Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 57856 KB
File Type : Portable Executable 32
File Name

virussign.com_a0c066b857995c1c0e9582d0d5526f40.vir

MD5

a0c066b857995c1c0e9582d0d5526f40

SHA1

d30e8d5fa93e5fdf3c2428e581c9a5fefa4066a6

SHA256

768850b93243552a70efa64ac3847fd4744c773e652e407f58

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\8 June 2016\New folder\Samples\a0c066b857995c1c0e9582d0d5526f40.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C00000000000000000000000000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F121D000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000"
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0061003000630030003600360062003800350037003900390035006300310063005F00330038003200310061006400350066003800360033003300650061006200380037003600380034003200660066006600390036006300350039006200390063006300330038003100330032005F006300610062005F00300036006600370035003400630035000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0061003000630030003600360062003800350037003900390035006300310063005F00330038003200310061006400350066003800360033003300650061006200380037003600380034003200660066006600390036006300350039006200390063006300330038003100330032005F006300610062005F00300036006600370035003400630035000000
old value "StoreLocation=C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_Revouninstaller._6a943e15864e38bbaaead9cbb69c28caa679c_cab_044a28a8"
binary data=43003A005C00550073006500720073005C0063006F0067006E00750073005C0041007000700044006100740061005C004C006F00630061006C005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C004E006F006E0043007200690074006900630061006C005F005200650076006F0075006E0069006E007300740061006C006C00650072002E005F0036006100390034003300650031003500380036003400650033003800620062006100610065006100640039006300620062003600390063003200380063006100610036003700390063005F006300610062005F00300034003400610032003800610038000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\Users\cognus\AppData\Local\CrashDumps\a0c066b857995c1c0e9582d0d5526f40.exe.716.dmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5\Report.wer
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5\WER4C2D.tmp.appcompat.txt
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5\WER4D76.tmp.WERInternalMetadata.xml
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5\WER4E13.tmp.hdmp
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_a0c066b857995c1c_3821ad5f8633eab876842fff96c59b9cc38132_cab_06f754c5\WER5229.tmp.mdmp

Network services:

* No changes

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 716 -s 104, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess716".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\307a0438-2d45-11e6-8aba-000c29ba35ca".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove virussign.com_a0c066b857995c1c0e9582d0d5526f40.vir

1.Download Sniper free antivirus for PC 
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where virussign.com_a0c066b857995c1c0e9582d0d5526f40.vir located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top