Jump to content

clipboard virus?

Saeedqd

By Saeedqd
in Malware Finding and Cleaning

 Share

Recommended Posts

Saeedqd

Saeedqd 0

Posted
Posted (edited)

My computer is with some virus that every time I try to copy my personal address(my crypto wallet address), this address appears when I paste it. The same as the original message: 0x80191032fB4d309501d2EBc09a1A7d7F2941C8C1 (this is not my address)

at the same time i receive a notification from node32 that threat removed but i still have the problem.

Untitled.png

Edited by Saeedqd
add something
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted (edited)

FYI.

Quote

Technical Details

The Vjw0rm worm is a malicious JavaScript file that spreads by creating copies of itself on accessible removable storage devices.

While active, the worm sends a network request to its C&C server every 7 seconds, providing information about the infected machine and awaiting additional instructions from its operator(s). If it receives instructions, the worm can execute them on the infected machine.

Arrival

This worm can arrive on a computer in several ways:

  1. From an infected removable storage device
  2. Via drive by download
  3. Downloaded or dropped onto the computer by other malware

Propagation

Once it is present on a computer, the worm can propagate or spread copies of its malicious file by infecting removable storage devices that are inserted and accessible. It does so by performing the following set of actions every 7 seconds:

  1. Identify removal storage devices that are inserted and accessible, using IsReady and DriveType.
  2. Copy the vjw0rm script file into the device's root directory:
    1. Set the script file's attributes as hidden and system
  3. Enumerate all folders and files within the root directory:
    1. Set their attributes to hidden and system (file attributes constant: 0x06 (0x04 + 0x02))
    2. Create a shortcut for each folder/file:
      1. Set the shortcut's icon:
        1. Files: Search for the default icon from registry based on the extension
        2. Folder: Default folder icon from registry
      2. Set the shortcut's target path:
        1. Files: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start <original_files_path> &exit"
        2. Folder: "cmd.exe /c start <dropped_vjw0rm_ScriptName> &start explorer <original_folders_path> &exit"

Persistence

In addition to propagating itself to maintain its presence, the worm can remain persistent on the infected machine in several ways:

  1. It creates a scheduled task (named 'Skype') that executes the worm's script every 30 minutes
  2. It copies itself to the Startup folder, so that the worm is started each time the machine is booted up
  3. It adds itself to the startup registry folder

Network activity

Vjw0rm contacts a remote C&C server to provide its operator(s) with information about the infected machine, as well as to retrieve any additional instructions they may issue.

Request

Every 7 seconds, the worm sends a POST request with a custom User-Agent to its C&C server. This allows the worm's operator(s) to identify which infected machines are online (and so are available to receive commands), as well as providing some basic information about the machines.

The request can be defined as: 

POST [host]:[port]/Vre
User-Agent: [tag]\[logicaldiskserialnum]\[computername]\[username] \[osnamever]\[avdisplayname]\\[vbc_exist]\[prev_infected]\

 

Edited by itman
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
3 hours ago, Saeedqd said:

0x80191032fB4d309501d2EBc09a1A7d7F2941C8C1 (this is not my address)

Quote

The Address 0x80191032fb4d309501d2ebc09a1a7d7f2941c8c1 page allows users to view transactions, balances, token holdings and transfers of ERC-20

https://etherscan.io/address/0x80191032fb4d309501d2ebc09a1a7d7f2941c8c1

Link to comment
Share on other sites
Saeedqd

Saeedqd 0

Posted
  • Author
Posted (edited)
27 minutes ago, itman said:

https://etherscan.io/address/0x80191032fb4d309501d2ebc09a1a7d7f2941c8c1

yes this is a scam address that stealing people crypto assets.

there are several user at reddit reporting same problem like mine whith this specific address.

Edited by Saeedqd
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,693

Posted
  • Administrators
Posted

Please provide C:\WINDOWS\msvcp140_2 Microsoft_Product_Version_gHOwPxYo4V9Hmn. Do not delete the file yet until I confirm the receipt of the file.

Link to comment
Share on other sites
Saeedqd

Saeedqd 0

Posted
  • Author
Posted
1 minute ago, Marcos said:

Please provide C:\WINDOWS\msvcp140_2 Microsoft_Product_Version_gHOwPxYo4V9Hmn. Do not delete the file yet until I confirm the receipt of the file.

ok done.

actually i deleted this file couple hours age but didn't make any difference about my situation so i restored it again!

msvcp140_2.rar

Link to comment
Share on other sites
Saeedqd

Saeedqd 0

Posted
  • Author
Posted (edited)
10 minutes ago, itman said:

Here's an example detailed analysis of this malware: https://www.joesandbox.com/analysis/391271/0/lighthtml

The way its executing JavaScript at system startup is nothing I have ever see before:

Eset_Malware.thumb.png.17afcca9251534fb0cba050f75d862e9.png

i downloaded a bunch of anti malware and antivirus software and none of them detected this. only eset manage to find out about the treat but it seems can't eliminate it.

i tried: malwarebytes , kaspersky , Emsisoft, windows defender and some more apps.

Edited by Saeedqd
Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted

Eset detects the dropper .exe shown in the Joe's Sandbox analysis.

However, the subsequent processing done by it is all Windows "living off the land" technique based. As such, I assume someone just "packaged" this processing differently.

Link to comment
Share on other sites
Saeedqd

Saeedqd 0

Posted
  • Author
Posted
15 minutes ago, Marcos said:

Besides C:\WINDOWS\msvcp140_2, provide also Microsoft_Product_Version_gHOwPxYo4V9Hmn, most likely located under c:\windows too.

I can't find it. sorry.looked and searched everywhere

Link to comment
Share on other sites
Saeedqd

Saeedqd 0

Posted
  • Author
Posted
1 hour ago, Marcos said:

The script you've supplied will be detected as JS/Kryptik.CCM trojan shortly. Let us know should the problem persist. We'd need a Procmon boot log then.

yes it was detected as JS/Kryptik.CCM trojan and deleted.

Thank u very much. it seems my problem solved!
but i will my eyes open om my clipboard for a little while in case the trojan like to come back in my pc again!

Link to comment
Share on other sites
itman

itman 1,538

Posted
Posted
31 minutes ago, Saeedqd said:

yes it was detected as JS/Kryptik.CCM trojan and deleted.

Reboot your PC and verify Eset detection doesn't reappear.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...