Jump to content

clipboard virus?


Recommended Posts

My computer is with some virus that every time I try to copy my personal address(my crypto wallet address), this address appears when I paste it. The same as the original message: 0x80191032fB4d309501d2EBc09a1A7d7F2941C8C1 (this is not my address)

at the same time i receive a notification from node32 that threat removed but i still have the problem.


Edited by Saeedqd
add something
Link to comment
Share on other sites



Technical Details

The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.

While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.


This worm can arrive on a computer in several ways:

  1. From an infected removable storage device
  2. Via drive by download
  3. Downloaded or dropped onto the computer by other malware


Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:

  1. Identify removal storage devices that are inserted and accessible, using IsReady and DriveType.
  2. Copy the vjw0rm script file into the device's root directory:
    1. Set the script file's attributes as hidden and system
  3. Enumerate all folders and files within the root directory:
    1. Set their attributes to hidden and system (file attributes constant: 0x06 (0x04 + 0x02))
    2. Create a shortcut for each folder/file:
      1. Set the shortcut's icon:
        1. Files: Search for the default icon from registry based on the extension
        2. Folder: Default folder icon from registry
      2. Set the shortcut's target path:
        1. Files: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start <original_files_path> &exit"
        2. Folder: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start explorer <original_folders_path> &exit"


In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:

  1. It creates a scheduled task (named 'Skype') that executes the worm's script every 30 minutes
  2. It copies itself to the Startup folder, so that the worm is started each time the machine is booted up
  3. It adds itself to the startup registry folder

Network activity

Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.


Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.

The request can be defined as:

POST [host]:[port]/Vre
User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\


Edited by itman
Link to comment
Share on other sites

3 hours ago, Saeedqd said:

0x80191032fB4d309501d2EBc09a1A7d7F2941C8C1 (this is not my address)


The Address 0x80191032fb4d309501d2ebc09a1a7d7f2941c8c1 page allows users to view transactions, balances, token holdings and transfers of ERC-20


Link to comment
Share on other sites

27 minutes ago, itman said:

yes this is a scam address that stealing people crypto assets.

there are several user at reddit reporting same problem like mine whith this specific address.

Edited by Saeedqd
Link to comment
Share on other sites

1 minute ago, Marcos said:

Please provide C:\WINDOWS\msvcp140_2 Microsoft_Product_Version_gHOwPxYo4V9Hmn. Do not delete the file yet until I confirm the receipt of the file.

ok done.

actually i deleted this file couple hours age but didn't make any difference about my situation so i restored it again!


Link to comment
Share on other sites

10 minutes ago, itman said:

Here's an example detailed analysis of this malware: https://www.joesandbox.com/analysis/391271/0/lighthtml

The way its executing JavaScript at system startup is nothing I have ever see before:


i downloaded a bunch of anti malware and antivirus software and none of them detected this. only eset manage to find out about the treat but it seems can't eliminate it.

i tried: malwarebytes , kaspersky , Emsisoft, windows defender and some more apps.

Edited by Saeedqd
Link to comment
Share on other sites

Eset detects the dropper .exe shown in the Joe's Sandbox analysis.

However, the subsequent processing done by it is all Windows "living off the land" technique based. As such, I assume someone just "packaged" this processing differently.

Link to comment
Share on other sites

15 minutes ago, Marcos said:

Besides C:\WINDOWS\msvcp140_2, provide also Microsoft_Product_Version_gHOwPxYo4V9Hmn, most likely located under c:\windows too.

I can't find it. sorry.looked and searched everywhere

Link to comment
Share on other sites

1 hour ago, Marcos said:

The script you've supplied will be detected as JS/Kryptik.CCM trojan shortly. Let us know should the problem persist. We'd need a Procmon boot log then.

yes it was detected as JS/Kryptik.CCM trojan and deleted.

Thank u very much. it seems my problem solved!
but i will my eyes open om my clipboard for a little while in case the trojan like to come back in my pc again!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...