OSX/DevilRobber [Threat Name] go to Threat

OSX/DevilRobber.A [Threat Variant Name]

Category trojan
Size 39168 B
Detection created Oct 30, 2011
Detection database version 6587
Aliases Backdoor.OSX.Miner.a (Kaspersky)
  OSX.Coinbitminer (Symantec)
  Backdoor:OSX/DevilRobber.A (F-Secure)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan is usually bundled within installation packages of various legitimate software.

The trojan does not create any copies of itself.

The trojan is usually found in the following folder:

  • %home%/Library/mdsa1331/

Its filename may be one of the following:

  • mdsa
Information stealing

The trojan collects the following information:

  • a list of recently visited URLs
  • shell command history
  • screenshots
  • Bitcoin wallet contents
  • external IP address of network device
  • network parameters
  • number of files containing specific text strings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) FTP addresses. The TCP, FTP, SSDP protocol is used.

It can execute the following operations:

  • set up a proxy server
  • send files to a remote computer
  • capture screenshots
  • send gathered information

The trojan opens some ports:

  • 34123
  • 34321
  • 34522

The trojan may create the following files:

  • 1.png
  • s.txt

Then the trojan deletes these files.

The trojan creates the following files:

  • dump.txt
  • abc.lck
  • %variable1%_%variable2%_%variable3%.zip

Then the trojan deletes these files.

A string with variable content is used instead of %variable1-3% .

The trojan executes the following files:

  • polipo
  • miner.sh
  • acab.sh

Please enable Javascript to ensure correct displaying of this content and refresh this page.