MSIL/Spy.Agent.APY [Threat Name] go to Threat

MSIL/Spy.Agent.APY [Threat Variant Name]

Category trojan
Size 2076160 B
Detection created Aug 31, 2016
Detection database version 14047
Aliases Trojan.DownLoader21.60459 (Dr.Web)
Short description

MSIL/Spy.Agent.APY is a trojan that uses the hardware resources of the infected computer for mining the Ethereum, Decred digital currency.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%malwarefilepath%"

The %variable% is one of the following strings:

  • WinStart
  • IEService
  • Microsoft Update
  • Microsoft Viewer Monitor Manager
  • Microsoft Video Driver

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • wireshark
  • vmtoolsd
  • virtualbox
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version

The trojan uses the hardware resources of the infected computer for mining the Ethereum, Decred digital currency.


The trojan may create the following files:

  • %temp%\­%variable1%\­1\­OpenCL.dll (21504 B)
  • %temp%\­%variable1%\­1\­cudart64_75.dll (360736 B)
  • %temp%\­%variable1%\­1\­libcurl.dll (278016 B)
  • %temp%\­%variable1%\­1\­libmicrohttpd-dll.dll (94208 B)
  • %temp%\­%variable1%\­1\­var.txt (8904 B)
  • %temp%\­%variable1%\­1\­vds.exe (1350656 B, Win32/BitCoinMiner.CV)
  • %temp%\­%variable1%\­2\­OpenCL.dll (57344 B)
  • %temp%\­%variable1%\­2\­blake256.cl (35772 B)
  • %temp%\­%variable1%\­2\­libcurl-4.dll (325288 B)
  • %temp%\­%variable1%\­2\­libpdcurses.dll (148760 B)
  • %temp%\­%variable1%\­2\­pthreadGC2.dll (94300 B)
  • %temp%\­%variable1%\­2\­svchost.exe (704606 B, Win32/BitCoinMiner.BF)

The trojan may execute the following commands:

  • %temp%\­%variable1%\­1\­vds.exe %variable2%
  • %temp%\­%variable1%\­2\­svchost.exe %variable3%

A string with variable content is used instead of %variable1-3% .


Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.