Win32/Spy.CoinBit [Threat Name] go to Threat

Win32/Spy.CoinBit.D [Threat Variant Name]

Category trojan
Size 274432 B
Detection created Jul 08, 2011
Detection database version 6277
Aliases Trojan.Win32.Llac.adwi (Kaspersky)
  VirTool:Win32/CeeInject (Microsoft)
  W32/Malware.UOYR (Norman)
Short description

Win32/Spy.CoinBit.D is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Installation

When executed, the trojan creates the following folder:

  • C:\­Cache

The following files are dropped in the same folder:

  • bitcoin-miner.exe
  • run.exe
  • checker.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Antivirus" = "C:\­Cache\­checker.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 0
    • "DisableTaskMgr" = 1
Other information

The trojan uses the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan executes the following commands:

  • bitcoin-miner.exe -a 5 -o http://pool.bitclockers.com:8332 -u %variable1% -p %variable2% -t 24

A string with variable content is used instead of %variable1-2% .


The trojan may create the following files:

  • %appdata%\­Ff8FfGHdd.txt
  • %temp%\­mspush62.tmp
  • %temp%\­%number%.tmp\­test.bat
  • %temp%p\­%number%.tmp\­checker.bat
  • %temp%\­%number%.tmp\­run.bat

The variable %number% represents a randomly generated number in the range 0 - 65535 .

Please enable Javascript to ensure correct displaying of this content and refresh this page.