Trojan.Win32.BitMin.bz (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.CoinMiner!IK (Emsisoft), PUP.Win32.BitcoinMiner.FD, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 78127faff890bc1d09b220f74d6e1e7a
SHA1: 54fe5168e84e59e6923614fc3c53bfc84fad5ca4
SHA256: 58a00470b44f9717630499b40b854cf4f05085f77deefec7ed7cbffd3e72f9f0
SSDeep: 12288:JtRXrUy90xJRvNZjNqVvXFa0sr gf4/HNdxe6rfsm3VpxZq0YAdZ8Pum640Ip:xUyiRHjNqFsr gg/HhrfR33YAdiR60p
Size: 1068544 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller Inc.
Created at: 2013-02-17 09:00:50
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Process activity
The PUP creates the following process(es):
78127faff890bc1d09b220f74d6e1e7a.exe:1760
cz.exe:1556
The PUP injects its code into the following process(es):
PS3JAI~1.EXE:872
File activity
The process 78127faff890bc1d09b220f74d6e1e7a.exe:1760 makes changes in a file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PS3JAI~1.EXE (17260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\cz.exe (9 bytes)
The process cz.exe:1556 makes changes in a file system.
The PUP creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\MIvQH\phatk.ptx (10385 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\coinutil.dll (2336 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\svchost.exe (7670 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\taskengine.exe (9 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\usft_ext.dll (39820 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\phatk.cl (388 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\miner.dll (17376 bytes)
Registry activity
The process 78127faff890bc1d09b220f74d6e1e7a.exe:1760 makes changes in a system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 38 98 B3 51 D1 D8 F8 A4 21 83 01 55 37 87 D4"
To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The process cz.exe:1556 makes changes in a system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 79 15 91 94 2C C2 BA 74 04 DE 27 FE AA CE 39"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
To automatically run itself each time Windows is booted, the PUP adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "%Documents and Settings%\%current user%\Application Data\MIvQH\taskengine.exe"
The process PS3JAI~1.EXE:872 makes changes in a system registry.
The PUP creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 99 C2 F8 77 BC 3E B1 FE 08 9E D2 63 8A E0 E7"
Network activity (URLs)
URL: hxxp://141.101.117.209/btcfiles/coinutil.dll Country: Europe
URL: api.bitcoin.cz IP: 176.31.157.132
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
78127faff890bc1d09b220f74d6e1e7a.exe:1760
cz.exe:1556 - Delete the original PUP file.
- Delete or disinfect the following files created/modified by the PUP:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\PS3JAI~1.EXE (17260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\cz.exe (9 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\phatk.ptx (10385 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\coinutil.dll (2336 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\svchost.exe (7670 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\taskengine.exe (9 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\usft_ext.dll (39820 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\phatk.cl (388 bytes)
%Documents and Settings%\%current user%\Application Data\MIvQH\miner.dll (17376 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Default" = "%Documents and Settings%\%current user%\Application Data\MIvQH\taskengine.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.