First posted on 03 July 2012.
There are no other names known for Trojan:BAT/MineBicoin.A.
Trojan:BAT/MineBicoin.A is a batch file that is used to launch a Bitcoin mining program that is dropped on your computer without your consent.
The Bitcoin mining program uses your computer to solve a complex algorithm that generates Bitcoins for users involved in the BitcoinP2P (peer-to-peer) network. The results calculated by the mining program are then associated with the attacker's account on a mining pool server.
For more information on Bitcoin currency see https://bitcoin.it/wiki/FAQ.
Trojan:BAT/MineBicoin.A usually arrives in a self-extracting RAR file (WinRAR archive).
In the wild, the most common name for this archive that we have observed is hahahahaha.exe.
When the RAR file is run, it places a number of additional files onto your computer. By default, the RAR file will extract these files to the %TEMP% directory.
These files are as follows:
- %TEMP%\hsbc.exe - a clean utility that hides windows (Note: This file is not detected by Microsoft antivirus solutions.)
- %TEMP%\ hakonamatata.cmd - a batch file, detected as Trojan:BAT/MineBicoin.A
- %TEMP%\ mamita.exe - a Bitcoin mining program, which may be detected as Program:Win32/CoinMiner
When it has placed these files on your computer, it launches the window-hiding utility, which in turn launches the Trojan:BAT/MineBicoin.A batch file. The batch file launches the Bitcoin mining program which runs without your knowledge.
Runs a program without consent
Trojan:BAT/MineBicoin.A launches the Bitcoin mining program that uses your computer to generate Bitcoins which are deposited into the attacker's account on the mining pool server b.mobinil.biz.
The mining program might use your computer's resources and cause it to run slowly or take a long time to open programs.
Trojan:BAT/MineBicoin.A attempts to terminate the following processes if they are running on your computer:
These processes may be related to Bitcoin mining software or previous MineBicoin variants.
Analysis by Amir Fouda
Last update 03 July 2012