MSIL/CoinMiner [Threat Name] go to Threat

MSIL/CoinMiner.AV [Threat Variant Name]

Category trojan
Size 20480 B
Detection created Nov 15, 2012
Detection database version 7696
Aliases Trojan.Win32.Agent.xqos (Kaspersky)
  Win32:BitCoinMiner-CM (Avast)
  TR/Agent.xqos (Avira)
Short description

MSIL/CoinMiner.AV is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Installation

The trojan does not create any copies of itself.


The trojan is probably a part of other malware.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows Update" = "%malwarefilepath%"

The trojan creates the following files:

  • %currentfolder%\­KB2656351_10.0.30301\­taskmgn.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan runs the following process:

  • %currentfolder%\­KB2656351_10.0.30301\­taskmgn.exe -o http://%randomipaddress%:%randomport% -u %variable%

A string with variable content is used instead of %variable% .


Please enable Javascript to ensure correct displaying of this content and refresh this page.