August 7, 2015
On the inside, Trojan.BtcMine.737 looks like a Russian doll—it consists of three installers created using Nullsoft Scriptable Install System (NSIS) and nested in each other. The first “layer” contains a simple dropper that, once launched, tries to kill all processes of Trojan.BtcMine.737 if they are running. It also extracts an executable file of another installer from its body, plants it into a temporary folder, runs it, and deletes the original file.
The second installer has a wider set of features that are typical of network worms. When activated, this installer saves the CNminer.exe file, which is an NSIS installer, to some folder on the infected computer and runs it. Then it replicates itself to the autorun folder, Documents folder, and to a newly created folder making it accessible from the local network. The installer's copies look like WinRAR archives with the Key name.
After that, the malicious program copies itself to root folders of all hard drives (this operation is repeated periodically) and goes through all computers in network places trying to connect to them by using logins and passwords from a special list. Moreover, the malware tries to crack the password to the Windows user account. If such an attempt is successful and if necessary equipment is available, Trojan.BtcMine.737 sets up an open Wi-Fi access point. If a connection to any computer on the network is established, the Trojan tries to replicate itself to that computer and run the copy using Windows Management Instrumentation (WMI) or Task Scheduler.
The CNminer.exe program, which is saved to a hard drive during the next step, is actually an installer of a mining application. Once launched, it saves the miner's executable files (for 32-bit and 64-bit versions) and the configuration file to the folder from where it is started. To ensure autorun of an executable, the Trojan modifies the relevant Windows system registry branch creating a corresponding shortcut in the standard autorun folder. After the installer is run, the script contained in it kills the running processes belonging to the miners (if they are launched). Then the Trojan connects to the command and control server and receives from it additional configuration data in HTML format. The data contains pool properties and electronic wallet identifiers which constantly change. It should be noted that cybercriminals use a different tool for electronic currency mining. This tool is created by another developer and is detected by Dr.Web as a program belonging to the Tool.BtcMine family. The developer of this application distribute it on one condition—2.5 per cent of electronic currency stolen with the help of the tool should be forwarded to their account. Thus, cybercriminals automatically send some part of their “earnings” to the creator of this tool.
Since Trojan.BtcMine.737 can spread by itself, it can pose a threat to computers that are not protected with anti-virus software. Dr.Web Anti-virus successfully detects and removes this malicious program. Thus, our users are under reliable protection.