BKDR_BTMINE.MNR

This malware has received attention from independent media sources and/or other security firms. This malware is a part of a package that generate BitCoins and performs DDOS attacks against targeted entities.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

It connects to the malicious URLs to get a list of server IP addresses and saves it in specific files.

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using specific format.

It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package.

This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following copies of itself into the affected system:

• %Windows%\update.5.0\svchost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

• %Windows%\update.5.0
• %Windows%\phoenix
• %Windows%\rpcminer
• %Windows%\ufa

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor adds and runs the following services:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ImagePath = "%Windows%\update.5.0\svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
DisplayName = "srvbtcclient"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
0 = "Root\LEGACY_SRVBTCCLIENT\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ErrorControl = "0"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\btcclient

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• agava
• agava_start
• agnitum
• alwil
• avast
• avast_start
• avira
• avira_start
• comodo
• comodo_start
• doctor web
• drweb
• drweb_start
• eset
• ESET NOD32 Antivirus
• ESET Smart Security
• ESET SysInspector
• ESET SysRescue
• kaspersky
• Kaspersky Internet Security 2009
• Kaspersky Internet Security 2010
• Kaspersky Internet Security 2011
• Kaspersky Internet Security 7.0
• KAV_2008
• KAV_2009
• KAV_2010
• KAV_2011
• KAV_START
• KAV_TXT
• KAV_UNINSTALL
• KAV_URL
• mcafee
• mcafee_start
• NOD_AV_4_2
• NOD_AV_START
• NOD_SS_4_2
• NOD_SS_START
• NOD_SYSINSP
• NOD_SYSRESC
• NOD_TXT
• NOD_UNINSTALL
• norton
• norton_start
• outpost
• Outpost Firewall Pro 7.0
• outpost_start1
• outpost_start2
• virus

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

• ya.ru
• google.com
• microsoft.com

NOTES:

This malware is a part of a package that generate BitCoins. Its component malware BKDR_BTMINE.DDOS performs DDOS attacks against targeted entities.

It connects to any of the following malicious URLs to get a list of server IP addresses:

• http://{BLOCKED}-portal-x86.com/distrib_serv/ip_list_{value}.php
• http://{BLOCKED}s-z2012.com/distrib_serv/ip_list_{value}.php
• http://{BLOCKED}vers-win7.com/distrib_serv/ip_list_{value}.php

It saves the list of IP addresses in the following file:

• %Windows%\btc_client_iplist.txt

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using the following format:

• http://{IP address}/search=error
• http://{IP address}/search=ip_list_{value}.txt
• http://{IP address}/search=ip_list_{value}
• http://{IP address}/btc/knock_client.php
• http://{IP address}/btc/knock_good_2.php
• http://{IP address}/search=myunrar2.exe.txt
• http://{IP address}/search=myunrar2.exe

Sample IP addresses are as follows:

It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package as the following:

• %Windows%\{number}_myunrar2.exe
• %Windows%\phoenix.rar
• %Windows%\rpcminer.rar
• %Windows%\ufa.rar

It then extract these archives in the following folders:

• %Windows%\phoenix
• %Windows%\rpcminer
• %Windows%\ufa

It also downloads legitimate GPU and CPU drivers from the following sites to enable the affected system to be able to use the Bitcoin miners effectively:

• http://{BLOCKED}ad2developer.amd.com
• http://{BLOCKED}2.ati.com
• http://{BLOCKED}s.amd.com