What Is Win64 Malware-gen.exe?
Win64:Malware-Gen is a heuristic detection designed used by Avast Antivirus to detect a Trojan Horse generically.
Win64 malware-gen.exe is a Win64 bit file compatibility utility that allows you to put VBS files on the disk and execute them as Win64 /Win32 bit files. Win64 malware-gen.exe is distributed as a Win32 bit file but requires Win64 bits Windows to execute (and also works on Win32 /Win64).
Behaviour Of Win64 Malware Gen
Win64 malware-gen.exe has a simple C&C mechanism, allowing it to communicate via HTTP, giving commands via POST requests. Win64 malware-gen.exe contains a unique ID used to communicate with the C&C server and store data locally about victims.
How Does Win64 Gen Affect A Victim’s Computer?
Win64 malware-gen.exe is not a virus but only a compatibility utility to execute VBS files on 64 bits Windows. This Win64 bit Windows file compatibility utility does:
- Creates a process to run WScript.shell and VBS files found on the disk
- It acts as a simple HTTP server that listens for incoming connections. By default, it allows only local connections (127.0.0.1)
- It stores data locally about victims, such as unique ID and victim’s IP address.
- It enables the execution of VBS files found on the disk.
What Is Win64 Malware-gen.exe ‘s Functionality?
Functions of Windows64 malware-gen.exe include:
- Checking if the current process is 32 bit or not (GetNativeSystemInfo)
- Checking if it runs on Windows XP or later (GetVersion)
- Checking if it runs on x64 (GetProcAddress)
- Getting system info: processor, memory and OS version (GetSystemInfo)
- Asking the command thus: Command = Command(“C:\vmware\win32app.vbs”)
- Sending the data to the C&C server and awaiting commands (interact and sendData)
- Executing received command: WScript.shell(“cmd /c ” & Command)
- Cleans traces on reboot (deleteFile, deleteService, deleteRegistry)
When Does Win64 Malware-gen.exe Take Effect?
Win64:Malware-Gen does not change any existing files. It modifies the following registry keys:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wscript.exe (modifies Description key to “Win64 malware-gen.exe”)
HKLM/SOFTWARE/Microsoft/Windows NT\CurrentVersion\Image File Execution Options\\wscript.exe (changes Description key to “Win64 malware-gen.exe”)
How Does Win64 Malware-gen.exe Spread?
Win64:Malware-Gen spreads by dropping its component into random directories across most existing NTFS disk partitions and then creating a startup registry key to point at itself.
When executed, Win64 malware-gen.exe downloads a payload from http://validator.avast.com/data002 and saves it to “%TEMP%\malware-gen.exe”
How Can I Delete Win64 Malware-gen.exe?
To remove Win64:Malware-Gen Trojan with Advanced System Repair, follow these steps:
- Press CTRL+ALT+DEL keys to open the Task Manager
- Close the running process to Win64 malware-gen.exe by right-clicking it and choosing “End Process Tree”
- Go to your Windows installation drive (usually C:\) and find the directory called “\Windows\System32\.”
- You can delete Win64 malware-gen.exe by right-clicking it and choosing “Delete.”
How Can You Fix Win64 Malware-gen.exe Threat?
We recommend that all existing users of Win64:Malware-Gen, remove the program from their computers using the following instructions:
1) Open up your registry editor by typing regedit in the start menu.
2) Navigate to the registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wscript.exe] (Hint: Hit “F3” on your keyboard, and it will bring up Find… in Registry Editor)
This key will contain values named Description and Debugger for Win64:Malware-Gen. If the Description is set to “Win64 malware-gen.exe” (without quotes), it means you are infected with this Trojan Horse. Make sure Description= is set to blank, not whatever other value it has. You can overwrite the Description= value if necessary by typing Description=”.
If Description=”Win64 malware-gen.exe” (value name) exists, delete Description=Win64 malware-gen.exe (value).
3) Hit “F3” again on your keyboard and type in Shell (without quotes) into the search field that appears at the top Registry Editor.
-You will see Description=Shell (without quotes) under the key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wscript.exe]
-This value Description=Shell must be removed before Description= is set to blank. Delete Description=Shell if it exists. Make sure Description= is set to blank, not whatever other value Description=”.
4) Reboot your computer for these changes to take effect. You are clean!
We recommend that all existing users of Win64 malware-gen.exe remove the program from their computers using the following instructions:
- Open up your file explorer by typing file explorer in the start menu.
- Go to C:\ProgramData\ (Hint: This directory is usually hidden.)
- Delete Win64 malware-gen.exe if it exists there. It should be located in the same directory as c:\windows\system32\wscript.exe. If this file is not present, you are clean!
Malware analysis tools can also be used to analyze this file in case it ends up on your system, so you shouldn’t try to play around with it unless you know what you are doing. Malware-gen.exe preferentially runs in a random directory on your local disk partition.
This may be one of the following:
-C:\Documents and Settings\<random_folder>\Application Data
We recommend that you keep an eye out for this file when browsing or downloading files from untrusted sources to ensure security. We also recommend using a reliable anti-virus and malware scanning utility to scan all incoming downloads if the download process has introduced this file.