WebCobra Removal Guide

Do you know what WebCobra is?

Has your computer started running slower than usual? If it has, you need to inspect your system for malware. WebCobra is one of the infections that could have been dropped onto your Windows operating system without your notice. According to our malware researchers, this infection drops one of two crypto-miners (Cryptonight or Claymore’s Zcash), which can use up available system resources to earn crypto-currency. It is hard to explain the process in Layman’s terms, but the most basic explanation is that a miner computes crypto-transactions by recording them in the blockchain. A lot of resources are required in the process, and unless the mining company has powerful machines that can run day and night, they have to look for the resources elsewhere. That is exactly what cyber criminals do by dropping miners silently onto the computers of unsuspecting Windows users. Without a doubt, it is important to remove WebCobra and silent miners from your PC, and if you continue reading, you will learn all about the process.

It is unknown how WebCobra spreads, but it is known that it is targeted at computers with x86 and x64 architectures. The launcher of this malware could be packaged along with more attractive programs, or it could be downloaded by other active threats. Overall, if this miner-dropper is found on your operating system, the chances are that you will find other malicious threats that require removal too. How can you find that out? We recommend installing a legitimate malware scanner. Note that most scanners are free, and so you should have no reservations about installing one. That being said, you have to be cautious because fake scanners exist, and if you let them in, the overall security of your operating system could suffer. Once in, WebCobra looks at the architecture of the computer, and if the conditions are right, the Cryptonight miner or Claymore’s Zcash miner is downloaded and executed silently. Although this report was created to help Windows users delete the dropper, deleting the miner is just as important.

Once the clandestine miner is dropped by WebCobra, crypto-mining begins. On x86 systems, it appears, the Cryptonight miner’s code is injected into a running Svchost.exe process, and, on x64 systems, the Claymore’s Zcash miner is downloaded. The infection drops and unpacks a password-protected Cabinet archive file, which contains Erdnt.loc (decryption file) and Data.bin (encrypted payload) files. The malware then proceeds to terminate processes running on the machine. Only processes with specific strings in their names are affected. These strings include adw, AlertWindow, AnVir, asw_av_popup_wndclass, AvastCefWindow, avz, delfix, emsi, eset, exe, farbar, glax, hacker, malware, rogue, Rogue, snxhk_border_mywnd, UnHackMe, and uVS. Clearly, the malware wants to disable anti-virus and anti-malware tools because if they detect the threat, they should delete it without any delay. If security software is disabled, your virtual security might be put at serious risk. Also, while WebCobra was only discovered to drop and execute miners, who can say that it would not be employed to spread other malicious threats?

There is no doubt that you need to delete WebCobra from your operating system. The only question in your mind should be how to do it. The guide below lists the components that must be eliminated, and, hopefully, you will have no trouble finding and eliminating them. Of course, because the malicious miner dropper could exist alongside other malicious threats, it might be a better idea to install anti-malware software. It would automatically detect and remove all malicious components, including those that belong to WebCobra and the associated crypto-miners. The most important thing is that this software would also keep you and your operating system protected against these and similar threats in the future.

Remove WebCobra and miners

  1. Find the {random}.exe launcher of the dropper infection (location unknown).
  2. Right-click and Delete this malicious file to stop it from downloading threats.
  3. Launch Windows Explorer by tapping Win+E keys at the same time.
  4. Enter %WINDIR% into the bar at the top to access the directory.
  5. Delete a folder named {DE03ECBA-2A77-438C-8243-0AF592BDBB20}.
  6. Enter %TEMP% into the bar at the top to access the directory.
  7. Delete the batch script file with a random name, -{random}.cmd.
  8. Empty Recycle Bin to eliminate these malware components.
  9. Install a legitimate malware scanner and run it to perform a full system scan.

In non-techie terms:

WebCobra is a dangerous threat because it can download miners. It is possible that it could be modified to spread other kinds of infections too. A miner is a tool to earn crypto-currency, which cyber criminals can use to purchase goods and services online. While miners are not intrinsically malicious, they can use up all available system resources, and that could slow down your computer or even cause it to crash. The malicious dropped can also disable security tools by terminating their processes, and that could cause security and privacy problems. Overall, it is important to delete WebCobra as soon as possible, and it might be easiest to employ anti-malware software to eliminate this threat. Your other option is to remove existing malware manually, and we suggest employing a malware scanner first to figure out what exactly you are dealing with.