Home / malware Trojan:Win32/Skrumpwey.A
First posted on 11 September 2012.
Source: MicrosoftAliases :
Trojan:Win32/Skrumpwey.A is also known as not-a-virus:RiskTool.Win32.HideExec.r (Kaspersky), TR/Skrumpwey.A (Avira), Bitcoin Miner (Sophos).
Explanation :
Trojan:Win32/Skrumpwey.A is a trojan that generates new digital coins in the Bitcoin decentralized economy. It makes use of a program known as Program:Win32/CoinMiner to generate Bitcoins and send them to a remote account. Trojan:Win32/Skrumpwey.A installs Program:Win32/CoinMiner silently, without a user's consent.
Installation
Trojan:Win32/Skrumpwey.A usually arrives as a WinRAR self-extracting file. When run, it drops the following file, which is detected either also as Trojan:Win32/Skrumpwey.A or Trojan:Win32/Skrumpwey.B:
%UserProfile%\Start Menu\Programs\StartUp\xd.exe
This file is another self-extracting archive that drops the following files:
- %TEMP%\vx.bat - batch file that automatically runs the CoinMiner program; detected as Trojan:BAT/MineBicoin.M
- %TEMP%\hid.exe - clean file used to run programs without displaying a console, so you don't see it running on your screen
- %TEMP%\hehe.exe - detected as Program:Win32/CoinMiner
- %TEMP%\2.exe - detected as Trojan:Win32/Skrumpwey.B
- %TEMP%\1.exe - detected as Trojan:Win32/Skrumpwey.A
Generating (also known as mining) BitCoins uses up a lot of your computer's resources due to its mathematically complex algorithm.
Analysis by Sergey Chernyshev
Last update 11 September 2012
