VBS/CoinMiner [Threat Name] go to Threat

VBS/CoinMiner.C [Threat Variant Name]

Category trojan
Size 7150 B
Aliases VBS:BitDown-A (Avast)
  VBS/Downloader.Agent (AVG)
Short description

VBS/CoinMiner.C is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.

Installation

The trojan creates the following folders:

  • C:\­ProgramData\­Adobe\­

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The trojan copies itself to the following location:

  • C:\­ProgramData\­Adobe\­%originalmalwarefilename%

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Adobe" = "C:\­ProgramData\­Adobe\­%originalmalwarefilename%

The trojan needs the following files to run:

  • %windir%\­system32\­OpenCL.dll

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • google.com
Other information

VBS/CoinMiner.C is a trojan that uses the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan contains a URL address.


It tries to download the other part of the infiltration from the address. The HTTP protocol is used in the communication.


The following files are dropped:

  • %temp%/svchost.exe (370702 B, Win32/BitCoinMiner.D)
  • %temp%/libcurl-4.dll (249344 B)
  • %temp%/libpdcurses.dll (87054 B)
  • %temp%/libusb-1.0.dll (177207 B)
  • %temp%/phatk120724.cl (13650 B)
  • %temp%/pthreadGC2.dll (68096 B)

The trojan runs the following process:

  • %temp%\­svchost.exe %parameters%

An URL address is used instead of %parameters% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "HideSCAHealth" = 1

The following services are disabled:

  • Windows Security Center
  • Windows Defender
  • Windows Firewall

Please enable Javascript to ensure correct displaying of this content and refresh this page.