Home / malware Trojan.Coinbitclip
First posted on 03 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Coinbitclip.
Explanation :
Once executed, the Trojan creates the following files:
%AppData%\Blizzard\Hearthstone.exe%UserProfile%\Application Data\hearthstone\updater.exe
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Hearthstone.exe" = "%AppData%\Blizzard\Hearthstone.exe2
The Trojan then monitors the compromised computer for Bitcoin addresses copied to the clipboard.
The Trojan contains a hardcoded list of Bitcoin addresses.
Once the Trojan detects a Bitcoin address in the clipboard, it replaces it with one from the hardcoded list.
The Trojan selects an address from the list that most closely resembles the address it is replacing.Last update 03 February 2016
