Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.BtcMine.1978

Added to the Dr.Web virus database: 2018-01-19

Virus description added:

SHA1:

  • 916f82f365bf5f8bc3e2f87422ddb10303b7a4d6

A Trojan designed to mine cryptocurrency. It is installed on servers that run on Microsoft Windows Server using a vulnerability in Cleverence Mobile SMARTS Server.

It is launched as a critically important process with a displayed name “Plug-and-Play Service”. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). It attempts to delete the following system services:

WinDefend
MsMpSvc
SepMasterService
DrWebEngine
DrWebAVService
AVP
AVP18.0.0
AVP17.0.0
AVP15.0.2
KAVFS
ekrn
a2AntiMalware
ZAMSvc
AntiVirService
QHActiveDefense

It attempts to detect and shut down the following running processes:

anvir
msmpeng
dwengine
dwservice
ekrn
avp
kavfs
ccsvchst
cmdagent
a2service
ZAM
avguard
QHActiveDefense

If at least one of the indicated processes is detected, the Trojan decrypts its resource Service.x64.dat, which stores the Process Hacker driver, saves it to a disk called x64.sys and loads it. It uses this driver to shut down the detected running processes.

It obtains the following port list from the configuration:

8100
9100
10100
11100
12100

Then the malicious program launches a service SSDPSRV and attempts to detect a router in its network. For each port from the obtained list, the Trojan uses the UPnP protocol to redirect the TCP port of the router to the infected server. Then it starts tracking ports from the list thus waiting for the incoming HTTP connection.

To define operating command and control servers, whose list of IP addresses is stored in the Trojan’s configuration, it sends them the following string:

"{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"0\",\"pass\":\"x\",\"agent\":\"Test/1.0\"}}\r\n"

The malicious program stores settings required for its operation in the Windows system registry.

[HKEY_CLASSES_ROOT]\\datfile

Then the Trojan configures proxy servers on the infected machine. The following servers will be used to mine cryptocurrencies:

8080
8081
8082
9080
9081
9082

8083
8084
8085
9083
9084
9085

The Trojan tracks the status of the port 51515. When a remote user connects to it, the Trojan waits for a command “deadbeef”. Once it receives the command, it launches the command shell PowerShell and redirects an input-output to a socket of the connected user.

Once these actions are executed, the Trojan embeds a module into all running processes. It is designed to mine cryptocurrencies. For each process the Trojan:

  1. extracts its resource "Service.rmxi.dat”, decrypts it using the XOR algorithm and saves with an arbitrary name and extension;
  2. embeds this module to a process using the functions WinAPI VirtualAllocEx, WriteProcessMemory, RtlCreateUserThread and LoadLibrary.

Instead of receiving tasks/sending results to a pool, the decrypted "Service.rmxi.dat" is a miner which does these actions via called pipes created by the Trojan service.

For the miner’s operation, the Trojan:

  • creates an event "Global\\{F2B06D4B-01B0-4F5C-B0FF-DC9F73696E63}” — for the XMR cryptocurrency;
  • creates an event "Global\\{9D91E9F3-F27B-44F7-8A9D-4D67BEFB5D08}" — for the Aeon cryptocurrency;
  • creates FileMapping "Global\\{CCE2F35E-0F38-413A-B118-EDF75722B8E4}” to store configuration.

The Trojan creates two called pipes:

  • "{29F248DD-592B-48AF-B9F3-1596AA1BB280}" — for XMR
  • "{111A00F9-3BF6-49D2-9A19-5FB4A50D68AF}" — for Aeon

IPC is used to exchange tasks with the miner and to obtain results of its work.

Also the malicious program can scan the network for servers with the installed Cleverence software.

To process the incoming HTTP connections, the Trojan receives a full path and parameters of a request, divides the obtained string into substrings with a divider ' / ‘ and goes through the obtained substrings. If a substring concurs with "result”, the Trojan decrypts base64, extracts data and parses XML. XML must contain two fields — Address and Port. If a substring concurs with “proxy”, the Trojan sends a list of IP addresses from the configuration after collecting them into a string with a divider ' | ‘. After this, it adds to its configuration the received addresses of other infected hosts (also divided with ' | ').

News about the Trojan

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124