Win32/CoinMiner [Threat Name] go to Threat

Win32/CoinMiner.DY [Threat Variant Name]

Category trojan
Size 779 MB
Detection created Jun 10, 2013
Detection database version 8431
Aliases Trojan-Dropper.Win32.Dapato.cesh (Kaspersky)
  Trojan.Coinbitminer (Symantec)
Short description

Win32/CoinMiner.DY is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency. The file is run-time compressed using Smart Install Maker .

Installation

When executed, the trojan creates the following files:

  • %windir%\­API.class (3431 B)
  • %windir%\­API.java (3306 B)
  • %windir%\­api-example.c (7530 B)
  • %windir%\­api-example.php (2174 B)
  • %windir%\­csrss.exe (185856 B, Win32/CoinMiner.DY)
  • %windir%\­diablo130302.cl (44727 B)
  • %windir%\­diakgcn121016.cl (30802 B)
  • %windir%\­example.conf (763 B)
  • %windir%\­libcurl.dll (602624 B)
  • %windir%\­libeay32.dll (1625 KB)
  • %windir%\­libidn-11.dll (192512 B)
  • %windir%\­librtmp.dll (133632 B)
  • %windir%\­libssh2.dll (170496 B)
  • %windir%\­libusb-1.0.dll (110094 B)
  • %windir%\­lsass.exe (567310 B, Win32/BitCoinMiner.D)
  • %windir%\­lsass-nogpu.exe (471566 B, Win32/BitCoinMiner.N)
  • %windir%\­miner.php (64577 B)
  • %windir%\­phatk121016.cl (13062 B)
  • %windir%\­poclbm130302.cl (43810 B)
  • %windir%\­scrypt130302.cl (23811 B)
  • %windir%\­ssleay32.dll (352768 B)
  • %windir%\­svchost.exe (61440 B, Win32/CoinMiner.DY)
  • %windir%\­zlib1.dll (84992 B)
  • %windir%\­bitstreams\­COPYING_fpgaminer (983 B)
  • %windir%\­bitstreams\­COPYING_ztex (811 B)
  • %windir%\­bitstreams\­fpgaminer_top_fixed7_197MHz.ncd (3596 KB)
  • %windir%\­bitstreams\­ztex_ufm1_15b1.bit (2395 KB)
  • %windir%\­bitstreams\­ztex_ufm1_15d1.bit (4121 KB)
  • %windir%\­bitstreams\­ztex_ufm1_15d3.bit (4121 KB)
  • %windir%\­bitstreams\­ztex_ufm1_15d4.bin (6792 B)
  • %windir%\­bitstreams\­ztex_ufm1_15d4.bit (4121 KB)
  • %windir%\­bitstreams\­ztex_ufm1_15y1.bin (6794 B)
  • %windir%\­bitstreams\­ztex_ufm1_15y1.bit (4121 KB)
  • %temp%\­tmp.tmp (752 MB)

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, %windir%\­csrss.exe"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­NewProduct 1.00]
    • "DisplayName" = "NewProduct 1.00"
    • "DisplayVersion" = "1.00"
    • "VersionMajor" = 1
    • "VersionMinor" = 0
    • "Publisher" = "Company"
    • "DisplayIcon" = "C:\­Program Files\­Company\­NewProduct\­Uninstall.exe"
    • "UninstallString" = "C:\­Program Files\­Company\­NewProduct\­Uninstall.exe"
    • "URLInfoAbout" = "http://www.company.com/"
    • "HelpLink" = "mailto:support@company.com"
    • "InstallLocation" = "C:\­Program Files\­Company\­NewProduct\­"
    • "InstallSource" = "C:\­Documents and Settings\­Administrator\­Desktop\­"
    • "InstallDate" = "20130730"
    • "Language" = 2052
    • "EstimatedSize" = 798077
    • "NoModify" = 1
    • "NoRepair" = 1

The trojan may create copies of itself using the following filenames:

  • D:\­Program Files\­iexplare.exe (61440 B, Win32/CoinMiner.DY)

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ºÃÓÃÀ²" = "%malwarepath%\­smssd.exe"
    • "hao123" = "D:\­Program Files\­iexplare.exe %variable%"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable% .

Other information

The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan executes the following commands:

  • C:\­Windows\­svchost.exe %variable1%
  • C:\­Windows\­lsass.exe --url http://51wakuang.net:9332 --user %variable2% --pass %variable3% --auto-fan --auto-gpu
  • C:\­Windows\­lsass.exe --scrypt --url http://51wakuang.net:9327 --user %variable2% --pass %variable3% --auto-fan --auto-gpu

A string with variable content is used instead of %variable1-3% .


The trojan runs the following process:

  • iexplore.exe http://www.51yingshi.net

The trojan can download and execute a file from the Internet.


The trojan contains a URL address. The HTTP protocol is used in the communication.


The trojan interferes with communication when any of the following sites is accessed:

  • http://www.taobao.com/
  • http://www.tmall.com/

The programs affected include the following:

  • Microsoft Internet Explorer
  • Google Chrome

Please enable Javascript to ensure correct displaying of this content and refresh this page.