home

wizz.exe

Karim Lammali

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The executable wizz.exe has been detected as malware by 25 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘cf9162e7f0b57c9aae661e4973d96ab4’.
Publisher:
Microsoft Corporation  (signed by Karim Lammali)

Product:
Microsoft Corporation

Version:
2.1.4.0

MD5:
3488b9e353a560f7385fb887f04835c7

SHA-1:
1a06b36dec5ef09d200b342d79038311c8b39555

SHA-256:
c82d3c074a375a9c1ea21281eb0f45d3431d8dfd46ca533957d664f729e377cb

Scanner detections:
25 / 68

Status:
Malware

Analysis date:
4/20/2024 1:44:15 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2418837
57

avast!
MSIL:Bladabindi-FE [Trj]
2014.9-161208

AVG
Generic33
2017.0.2535

Baidu Antivirus
Trojan.MSIL.MultiPacked
4.0.3.16128

Bitdefender
Trojan.GenericKD.2418837
1.0.20.1715

Dr.Web
Trojan.DownLoader9.38280
9.0.1.0343

Emsisoft Anti-Malware
Trojan.GenericKD.2418837
8.16.12.08.09

ESET NOD32
MSIL/Packed.MultiPacked.AJ (variant)
10.11643

Fortinet FortiGate
W32/Agent.AVFG!tr
12/8/2016

G Data
Trojan.GenericKD.2418837
16.12.25

IKARUS anti.virus
Trojan.Crypt3
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.204.15940

Kaspersky
Trojan.MSIL.Agent
14.0.0.-829

Malwarebytes
Trojan.FakeMS.ED
v2016.12.08.09

McAfee
RDN/Generic BackDoor!bd3
5600.6191

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi
1.1.11602.0

nProtect
Trojan-Dropper/W32.FrauDrop.491440
15.05.18.01

Panda Antivirus
Generic Malware
16.12.08.09

Qihoo 360 Security
Win32/Trojan.d3b
1.0.0.1015

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R021C0DEG15
7.2.343

Trend Micro
TROJ_GEN.R021C0DEG15
10.465.08

Vba32 AntiVirus
TScope.Trojan.MSIL
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic
40338

Zillya! Antivirus
Trojan.Agent.Win32.371283
2.0.0.2179

File size:
479.9 KB (491,440 bytes)

Product version:
5.3.2.5

Copyright:
Microsoft Corporation

Original file name:
C:\Documents and Settings\Administrateur\Bureau\CryptoObfuscator_Output\Servear.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\wizz.exe

Digital Signature
Signed by:
Karim Lammali

Authority:
DigiCert Inc

Valid from:
3/18/2013 2:00:00 AM

Valid to:
5/21/2014 2:00:00 PM

Subject:
CN=Karim Lammali, O=Karim Lammali, L=Besançon, C=FR

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
06477E3425F1448995CED539789E6842

File PE Metadata
Compilation timestamp:
4/18/2013 7:10:09 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

Entry address:
0x3A79A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A0, 03, 00, 0C, 00, 00, 00, 9C, 37, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.7651

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
226 KB (231,424 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
cf9162e7f0b57c9aae661e4973d96ab4

Command:
"C:\users\{user}\appdata\local\temp\wizz.exe"..


Remove wizz.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.