Home / malwarePDF  

Trojan:BAT/MineBicoin.B


First posted on 23 June 2012.
Source: Microsoft

Aliases :

Trojan:BAT/MineBicoin.B is also known as BAT/Miner.A (Command), BAT/Miner.BA (AVG), Trojan.BAT.Miner.i (Kaspersky), W32/Miner.A (Norman), BAT_MINER.LEX (Trend Micro), Bitcoin Miner (Sophos), W32/Miner.A.dropper (Norman).

Explanation :



Trojan:BAT/MineBicoin.B is a batch script that runs another program which results in the mining of Bitcoins, a decentralized digital currency.



Installation

This batch file is included in a self-extracting RAR file, which also contains a standard Bitcoin mining program, and another program used to hide windows.

When extracted, the RAR file launches the window-hiding program, which in turn launches the batch file detected as Trojan:BAT/MineBicoin.B. The batch file then launches the Bitcoin mining program, which runs usually without your knowledge.

The batch file may have any of the following file names:

  • yz.bat
  • gtest.cmd


The Bitcoin mining program, detected as Program:Win32/CoinMiner, may have any of the following file names:

  • mamita.exe
  • svchoost.exe
  • cgminer.exe


The window-hiding program may have any of the following file names:

  • hid.exe
  • hsbc.exe
  • hsbca.exe


Payload

Runs a program without consent

During execution of the dropper, it runs the window hiding program, which runs MineBicoin.B, which in turn runs the mining program. Any Bitcoins mined on your computer are recorded on the server "b.mobinil.biz:8332".



Analysis by Chris Stubbs

Last update 23 June 2012

 

TOP