WORM_COINMINE.A
Trojan.BAT.Miner.bv (Kaspersky)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware, Copies itself in all available physical drives
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
TECHNICAL DETAILS
804,352 bytes
EXE
Yes
01 Jul 2014
Drops files, Modifies system registry
Arrival Details
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following component file(s):
- %User Temp%\{random filename}.bat - used to drop malware copy and execute the dropped minerd.exe
- %AppDataLocal%\{random folder name}\minerd.exe - for mining purposes
- %AppDataLocal%\{random folder name}\libcurl.dll
- %AppDataLocal%\{random folder name}\pthreadGC2.dll
- %AppDataLocal%\{random folder name}\zlib1.dll
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %User Profile%\{computer name}\{computer name}.exe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
CpuCoin = "%User Profile%\{computer name}\{computer name}.exe"
Propagation
This worm creates the following folder in all physical and removable drives:
- {drive}:\{computer name}
It drops the following copies of itself in all physical and removable drives:
- {drive}:\{computer name}\{computer name}.exe
Dropping Routine
This worm executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
NOTES:
It executes the dropped minerd.exe as follows to start mining:
- %AppDataLocal%\{random folder name}\minerd.exe --url stratum+tcp://mine.pool-x.eu:9000 --userpass toptests.2:x --retry-pause=2 --scantime=560
It executes the following commands to modify power settings of the system:
- powercfg /x /standby-timeout-ac 0
- powercfg /x /standby-timeout-dc 0
- Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
- Powercfg -SetDcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
The modification results to no monitor idle timeout as well as setting the existing power scheme to balanced mode when operating on AC and DC power.
This malware also deletes the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
GpGpuCoin = "{default value}"
SOLUTION
9.700
10.896.04
01 Jul 2014
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Restart in Safe Mode
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- CpuCoin = "%User Profile%\{computer name}\{computer name}.exe"
- CpuCoin = "%User Profile%\{computer name}\{computer name}.exe"
Step 4
Search and delete this file
- %AppDataLocal%\{random folder name}\minerd.exe
- %AppDataLocal%\{random folder name}\libcurl.dll
- %AppDataLocal%\{random folder name}\pthreadGC2.dll
- %AppDataLocal%\{random folder name}\zlib1.dll
Step 5
Search and delete these folders
- %AppDataLocal%\{random folder name}
- {drive}:\{computer name}
Step 6
Restore this deleted registry key/value from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- GpGpuCoin = "{default value}"
- GpGpuCoin = "{default value}"
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_COINMINE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.