WebCobra Miner Virus – How to Remove It

WebCobra Miner Virus – How to Remove It


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by WebCobra Miner Virus and other threats.
Threats such as WebCobra Miner Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This blog post has been created to help explain what is the WebCobra miner app and how you can try and remove it and prevent it from mining ZCash or Monero cryptocurrencies on your Mac.

A new, very dangerous cryptocurrency miner virus has been detected by security researchers. The malware, called WebCobra comes as an app, which experts believe to be installed as a result of software bundling. The main idea behind the WebCobra miner is to employ cryptocurrency miner activities on the computers of victims in order to obtain Monero and ZCash tokens at victims’ expense. The outcome of this miner is the elevated electricity bills and if you leave it for longer periods of time WebCobra may even damage your computer’s components.

Threat Summary

NameWebCobra Miner Virus
TypeCryptocurrency Miner Virus
Short DescriptionA crypto miner that aims to use the resources of your computer to mine for cryptocurrencies.
SymptomsYour computer may experience slow-downs, overheating, suspicious processes running and other types of unwanted side effects..
Distribution MethodBundled downloads. Web pages which may advertise it.
Detection Tool See If Your System Has Been Affected by WebCobra Miner Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss WebCobra Miner Virus.

WebCobra – Distribution Methods

The primary methods of distribution used by WebCobra have been reported by users to be via either fake Microsoft websites or software bundling.

If the installer of WebCobra is spread via a fake site, the virus may pretend to be a Microsoft installer package that will check the computer’s runtime environment. In the same time, the installer may start to check and execute the miner codes.

Another method of infection with WebCobra is if the program pretends to be a legitimate type of program, that is bundled in the setups of other free apps downloaded from suspicious websites. Such seemingly free apps may be useful apps that are used in a very often basis. These applications often have their installers modified by users with various different purposes, the outcome of which is to get them to accept the installation of WebCobra with the hopes to miss it’s installation prompt. This prompt is usually located in the “Advanced” or “Custom” installation options, the main idea of which is to get users to skip it’s install steps. But if the user sees it, the program is advertised as “an optional offer” or “a free extra” to the current installation and this is how it ends up on their computers.

WebCobra Miner – Analysis

Similar to other

What is BitCoin Miner malware? How to remove BitCoin miner malware safely? How to detect BitCoin miner malware on your PC? Removal and protection tutorial.
crypto miners we have detected over the years, the WebCobra miner performs multiple malicious activities on the computers of victims. Once an initial infection has commenced, the malware drops a .zip file, called ERDNT.LOG.zip. This .zip file extracts a password-protected Cabinet archive to unzip it. The procedure is done via command prompt by entering the following Windows command:

→ “cmd” /c “CD [WindowsFolder]\{A0BB5888-2851-4724-9666-8998623D6EA7}\&unzip –o –P iso100 ERDNT.LOG.zip

The Cabinet (.CAB) file unpacks two types of files:

  • A LOC file which is a DLL file that decrypts the second file.
  • A .bin file which is decrypted by the LOC file and executes the malicious payload.

The CAB file also uses the following commands in order to execute ERDNT.LOC:

→ “cmd” /v:on /c “set rnd=%random%&mkdir [WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\!rnd!&cd
[WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\!rnd!&move /y
[WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\!rnd!\&RundLL32ERDNT.LOC,TModuleEntry u”

After it’s executed, this script of command directly executes the malicious ERDNT.LOG (DLL) file and DATA.BIN file to begin it’s mining operation of Monero and Zcash, where it does the following:

To mine Monero (on x86 machines), the virus injects a script in Svchost.exe where it runs a cryptonight miner by connecting to emergency.fee.xmrig.com and miner.fee.xmrig.com pools.

To mine for ZCash (on x64 machines), the virus executes a direct connection to saarnio.ru/ln.zip and downloads Claymore’s ZCash Miner configuration file which then connects to the eu.zec.slushpool.com mining pool.

The outcome of these mining activities on your computer are the following:

  • It may immediately start to slow down in terms of performance.
  • Your PC may start to freeze at time.
  • Internet connection on your network may freeze.
  • Your components (CPU, GPU) may overheat.

Once the WebCobra miner has been executed, it immediately starts to check if it’s running in a isolated environment. If not, then the miner virus may connect to the following IP addresses:

  • 149.249.13:2224
  • 149.254.170:2223
  • 31.92.212

The WebCobra malware is also identified by McAfee with the following SHA256 hashes:

→ 5E14478931E31CF804E08A09E8DFFD091DB9ABD684926792DBEBEA9B827C9F37

Furthermore, WebCobra can also perform the following malicious activities on your PC, besides mining:

  • Locate and read your files.
  • Interact with Windows via Command Prompt.
  • Extract data from your local system.
  • Discover what processes are running.
  • Read your system information.
  • Inject processes.
  • Encrypt data.
  • Obfuscate data.
  • Delete files.

Removal of WebCobra miner is strongly recommended, since you risk not only a big electricity bill if it’s running on your PC, but the miner may also perform other unwanted activities on it and even damage your PC permanently.

Remove WebCobra Miner from Your PC

If you want to remove this miner from your Mac, be advised that it can delete your files. This is why, we advise you to backup all your important files if on your PC before removing this virus.

To remove WebCobra miner automatically from your PC, we advise you to follow the removal manual below. It is separated In manual and automatic removal, since this will effectively help delete the virus files permanently. If manual removal does not help, however, we recommend what most researchers advise and that is to download an advanced anti-malware software to run a scan with it on your infected PC. Such program will automatically take care of the WebCobra miner virus from your computer and will make sure that it’s removed completely plus your PC stays protected in the future too.

Note! Your computer system may be affected by WebCobra Miner Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as WebCobra Miner Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove WebCobra Miner Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove WebCobra Miner Virus files and objects
2. Find files created by WebCobra Miner Virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share