Home / malware

PDF

Worm:Win32/NeksMiner.A

First posted on 15 February 2019.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/NeksMiner.A.

Explanation :

Installation This threat can create files on your PC, including:   %APPDATA%microsoftwindowsstart menuprogramsstartup.exe %APPDATA%microsoftwindowsstart menuprogramsstartupcnminer.lnk %APPDATA%
scpucnminercnminer.exe %APPDATA%
scpucnminer
scpucnminer32.exe %APPDATA%
scpucnminer
scpucnminer64.exe %LOCALAPPDATA% emp
sa56c7.tmp
sexec.dll %LOCALAPPDATA% emp
sw59b5.tmpinetc.dll

It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Sets value: "CNminer"
With data: "%APPDATA%
scpucnminercnminer.exe"  

The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.

Payload This threat spreads through network drives. It is specifically designed to allow remote attacker control to perform Bitcoin mining activities. Affected machines might have traces of legitimate application and component related to its mining activities. Additional information

We observed that this threat often spreads with the following (but not limited to) names and file extension:

images.scr image.exe imàges.exe monero.exe monero.scr

Note: The above list is not an exhaustive list.

This malware description was published using automated analysis of file SHA1 7536f91d76b0fea3d67cb8ecaa09844129d5e86e.

Last update 15 February 2019

 

TOP