BKDR_BTMINE.MNR
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This malware has received attention from independent media sources and/or other security firms. This malware is a part of a package that generate BitCoins and performs DDOS attacks against targeted entities.
To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.
It connects to the malicious URLs to get a list of server IP addresses and saves it in specific files.
The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using specific format.
It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package.
This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.
TECHNICAL DETAILS
Arrival Details
This backdoor may be downloaded by other malware/grayware/spyware from remote sites.
It may be dropped by other malware.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This backdoor drops the following copies of itself into the affected system:
- %Windows%\update.5.0\svchost.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It creates the following folders:
- %Windows%\update.5.0
- %Windows%\phoenix
- %Windows%\rpcminer
- %Windows%\ufa
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This backdoor adds and runs the following services:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ImagePath = "%Windows%\update.5.0\svchost.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
DisplayName = "srvbtcclient"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ObjectName = "LocalSystem"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Security
Security = "{hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
0 = "Root\LEGACY_SRVBTCCLIENT\0000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
Count = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
NextInstance = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Type = "10"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ErrorControl = "0"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\btcclient
Process Termination
This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- agava
- agava_start
- agnitum
- alwil
- avast
- avast_start
- avira
- avira_start
- comodo
- comodo_start
- doctor web
- drweb
- drweb_start
- eset
- ESET NOD32 Antivirus
- ESET Smart Security
- ESET SysInspector
- ESET SysRescue
- kaspersky
- Kaspersky Internet Security 2009
- Kaspersky Internet Security 2010
- Kaspersky Internet Security 2011
- Kaspersky Internet Security 7.0
- KAV_2008
- KAV_2009
- KAV_2010
- KAV_2011
- KAV_START
- KAV_TXT
- KAV_UNINSTALL
- KAV_URL
- mcafee
- mcafee_start
- NOD_AV_4_2
- NOD_AV_START
- NOD_SS_4_2
- NOD_SS_START
- NOD_SYSINSP
- NOD_SYSRESC
- NOD_TXT
- NOD_UNINSTALL
- norton
- norton_start
- outpost
- Outpost Firewall Pro 7.0
- outpost_start1
- outpost_start2
- virus
Other Details
This backdoor connects to the following URL(s) to check for an Internet connection:
- ya.ru
- google.com
- microsoft.com
NOTES:
This malware is a part of a package that generate BitCoins. Its component malware BKDR_BTMINE.DDOS performs DDOS attacks against targeted entities.
It connects to any of the following malicious URLs to get a list of server IP addresses:
- http://{BLOCKED}-portal-x86.com/distrib_serv/ip_list_{value}.php
- http://{BLOCKED}s-z2012.com/distrib_serv/ip_list_{value}.php
- http://{BLOCKED}vers-win7.com/distrib_serv/ip_list_{value}.php
It saves the list of IP addresses in the following file:
- %Windows%\btc_client_iplist.txt
The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using the following format:
- http://{IP address}/search=error
- http://{IP address}/search=ip_list_{value}.txt
- http://{IP address}/search=ip_list_{value}
- http://{IP address}/btc/knock_client.php
- http://{IP address}/btc/knock_good_2.php
- http://{IP address}/search=myunrar2.exe.txt
- http://{IP address}/search=myunrar2.exe
Sample IP addresses are as follows:
It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package as the following:
- %Windows%\{number}_myunrar2.exe
- %Windows%\phoenix.rar
- %Windows%\rpcminer.rar
- %Windows%\ufa.rar
It then extract these archives in the following folders:
- %Windows%\phoenix
- %Windows%\rpcminer
- %Windows%\ufa
It also downloads legitimate GPU and CPU drivers from the following sites to enable the affected system to be able to use the Bitcoin miners effectively:
- http://{BLOCKED}ad2developer.amd.com
- http://{BLOCKED}2.ati.com
- http://{BLOCKED}s.amd.com
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- srvbtcclient
- srvbtcclient
- In HKEY_LOCAL_MACHINE\SOFTWARE
- btcclient
- btcclient
Step 5
Search and delete these folders
- %Windows%\update.5.0
- %Windows%\phoenix
- %Windows%\rpcminer
- %Windows%\ufa
Step 6
Search and delete these files
- %Windows%\{number}_myunrar2.exe
- %Windows%\phoenix.rar
- %Windows%\rpcminer.rar
- %Windows%\ufa.rar
Step 7
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_BTMINE.MNR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.