Security home

 

Home / malwarePDF  

Trojan:BAT/MineBicoin.A


First posted on 03 July 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:BAT/MineBicoin.A.

Explanation :



Trojan:BAT/MineBicoin.A is a batch file that is used to launch a Bitcoin mining program that is dropped on your computer without your consent.

The Bitcoin mining program uses your computer to solve a complex algorithm that generates Bitcoins for users involved in the BitcoinP2P (peer-to-peer) network. The results calculated by the mining program are then associated with the attacker's account on a mining pool server.

For more information on Bitcoin currency see https://bitcoin.it/wiki/FAQ.



Installation

Trojan:BAT/MineBicoin.A usually arrives in a self-extracting RAR file (WinRAR archive).

In the wild, the most common name for this archive that we have observed is hahahahaha.exe.

When the RAR file is run, it places a number of additional files onto your computer. By default, the RAR file will extract these files to the %TEMP% directory.

These files are as follows:

  • %TEMP%\hsbc.exe - a clean utility that hides windows (Note: This file is not detected by Microsoft antivirus solutions.)
  • %TEMP%\ hakonamatata.cmd - a batch file, detected as Trojan:BAT/MineBicoin.A
  • %TEMP%\ mamita.exe - a Bitcoin mining program, which may be detected as Program:Win32/CoinMiner


When it has placed these files on your computer, it launches the window-hiding utility, which in turn launches the Trojan:BAT/MineBicoin.A batch file. The batch file launches the Bitcoin mining program which runs without your knowledge.



Payload

Runs a program without consent

Trojan:BAT/MineBicoin.A launches the Bitcoin mining program that uses your computer to generate Bitcoins which are deposited into the attacker's account on the mining pool server b.mobinil.biz.

The mining program might use your computer's resources and cause it to run slowly or take a long time to open programs.

Terminates processes

Trojan:BAT/MineBicoin.A attempts to terminate the following processes if they are running on your computer:

  • svchoost.exe
  • mamita.exe


These processes may be related to Bitcoin mining software or previous MineBicoin variants.



Analysis by Amir Fouda

Last update 03 July 2012

 

TOP

Malware :

Family: