Win32/CoinMiner [Threat Name] go to Threat

Win32/CoinMiner.BJ [Threat Variant Name]

Category trojan
Size 5783040 B
Detection created Feb 11, 2013
Detection database version 7994
Aliases Trojan.Win32.Genome.ajtwf (Kaspersky)
  Trojan:Win32/Tarcloin.C (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/CoinMiner.BJ is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Integrated Driver" = "%malwarefilepath%"

The trojan creates the following files:

  • %temp%\­%variable%\­diablo121016.cl (117928 B)
  • %temp%\­%variable%\­diakgcn121016.cl (82144 B)
  • %temp%\­%variable%\­libblkmaker-0.1-0.dll (36864 B)
  • %temp%\­%variable%\­libblkmaker_jansson-0.1-0.dll (35504 B)
  • %temp%\­%variable%\­libcurl-4.dll (607576 B)
  • %temp%\­%variable%\­libcurl.dll (1620656 B)
  • %temp%\­%variable%\­libeay32.dll (4437336 B)
  • %temp%\­%variable%\­libidn-11.dll (746552 B)
  • %temp%\­%variable%\­libjansson-4.dll (154288 B)
  • %temp%\­%variable%\­libpdcurses.dll (451832 B)
  • %temp%\­%variable%\­libusb-1.0.dll (215728 B)
  • %temp%\­%variable%\­mscol.exe (1096368 B)
  • %temp%\­%variable%\­pdcurses.dll (247128 B)
  • %temp%\­%variable%\­phatk121016.cl (34832 B)
  • %temp%\­%variable%\­poclbm121016.cl (114560 B)
  • %temp%\­%variable%\­pthreadGC2.dll (181592 B)
  • %temp%\­%variable%\­scrypt121016.cl (57528 B)
  • %temp%\­%variable%\­ssleay32.dll (940720 B)
  • %temp%\­%variable%\­system (306 B)
  • %temp%\­%variable%\­zlib1.dll (226648 B)
  • %temp%\­%variable%\­zzBPAvira.junk (27248 B)

A string with variable content is used instead of %variable% .


The trojan executes the following files:

  • %temp%\­%variable%\­mscol.exe (1096368 B)
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


The trojan may create the following files:

  • %currentfolder%\­IMG_37153486_1256458.jpg

Please enable Javascript to ensure correct displaying of this content and refresh this page.