Home / malwarePDF  

Win32/Bocinex


First posted on 07 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Bocinex.

Explanation :

Win32/Bocinex is a detection for a family of malware that launches a Bitcoin mining client, detected as Program:Win32/CoinMiner. The client is configured to attribute newly generated Bitcoin digital cash, or "BTC", to an attacker's Bitcoin account.


Top

Win32/Bocinex is a detection for a family of malware that launches a Bitcoin mining client, detected as Program:Win32/CoinMiner. The client is configured to attribute newly generated Bitcoin digital cash, or "BTC", to an attacker's Bitcoin account.



Installation

Win32/Bocinex may be encountered as an attachment to spam email, when visiting links sent via instant messaging, or by downloading its installer that is disguised as another wanted application. The installer is often a randomly named file that is in the form of a self-extracting executable archive (RarSFX), as in "169E.exe" or "9D1A.exe" for example. The name of the Win32/Bocinex trojan file and path of installation is specified in the RarSFX installer script, as in the following example:

Path=%USERPROFILE%\Start Menu\Programs\Startup
SavePath
Setup=x10.exe
Silent=1
Overwrite=1
Update=U

In the above example, the script instructs the installer to write the trojan as the following:

%USERPROFILE%\Start Menu\Programs\Startup\x10.exe (e.g. "C:\Users\Administrator\Start Menu\Programs\Startup\x10.exe")

The installed file is another RarSFX dropper and runs when Windows starts. The archive file contains another installation script that specifies where the archive file contents are dropped, and which file to execute, for example:

Path=%TEMP%
SavePath
Setup=Winlogons.exe
Silent=1
Overwrite=1
Update=U

The above script instructs the dropper to execute the file "%TEMP%\Winlogons.exe", which is a copy of Win32/Bocinex. The archive contains a Bitcoin mining client, which may be present as "%TEMP%\xC.exe".



Payload

Executes Program:Win32/CoinMiner

Win32/Bocinex executes the BTC mining client in a manner that attributes newly generated Bitcoins to an account specified by an attacker, for example:

%TEMP%\xC.exe -a 60 -g yes -o <URL> -u <attacker user name> -p <attacker password>

When the mining client "xC.exe" executes, there may be a noticeable increase in CPU utilization that is observed as a sluggish response or slow execution of other applications.



Analysis by Alden Pornasdoro

Last update 07 April 2012

 

TOP

Malware :