Home / malwarePDF  

Win32/Deminnix


First posted on 12 November 2013.
Source: Microsoft

Aliases :

There are no other names known for Win32/Deminnix.

Explanation :

Threat behavior

Installation

This threat can be downloaded as part of a TorziExpressinstaller using a file name such as file.exe.

TorziExpress contains configuration data that allows it to download torrent files, such as cracked software, game cheats, and video files. Some of the files it downloads might be clean, but other components might belong to the Deminnix family.

For example, one of the TorziExpress applications that installs Win32/Deminnix might look like this:



The installer drops files in a folder it creates in %ProgramFiles%, for instance:

  • %ProgramFiles%\TorziExpress


Some of the files it's been known to install are:

  • fowes.exe - Nullsoft installer detected as TrojanDropper:Win32/Deminnix
  • ModuleInno.exe or Inno.exe - detected as Trojan:Win32/Deminnix
  • desktopsearchservice.exe or SearchIndexer.exe - can be detected as either Trojan:Win32/Deminnix.gen!A or Trojan:Win32/Deminnix.gen!B
  • SearchIndexer32.exe - non-malicious bitcoin miner


Payload

Bitcoin mining

This threat performs bitcoin mining on your PC by dropping a non-malicious bitcoin miner, which is freely available online, and running it using another of its components, such as desktopsearchservice.exe or SearchIndexer.exe. The bitcoin miner is launched silently and uses your PC's system resources to perform complex calculations, sending the results to a mining server where the malware author has an account. Deminnix variants have been observed contacting the following mining servers, many of which are legitimate and used by other users participating in the bitcoin mining system:

  • iz-bit.net:8332
  • ql-bit.net:8332
  • ez-bit.net:8332
  • 507-bit.net:8332
  • pool.litecoinrain.org:8337
  • stratum.give-me-ltc.com:3333
  • eu-stratum.btcguild.com:3333


Changes browser home page

Certain variants of Win32/Deminnix, such as those detected as Trojan:Win32/Deminnix.A, change the home page of the following browsers:

  • Internet Explorer
  • Firefox
  • Opera
  • Chrome


It changes the default home page to http://fuxio.net/.



Analysis by Amir Fouda

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:
    • fowes.exe - Nullsoft installer detected as TrojanDropper:Win32/Deminnix
    • ModuleInno.exe or Inno.exe - detected as Trojan:Win32/Deminnix
    • desktopsearchservice.exe or SearchIndexer.exe - can be detected as either Trojan:Win32/Deminnix.gen!A or Trojan:Win32/Deminnix.gen!B
    • SearchIndexer32.exe - non-malicious bitcoin miner
  • You run an installer that looks like:


  • Your browser home page changes to http://fuxio.net/

Last update 12 November 2013

 

TOP

Malware :