Home / malware TrojanDropper:Win32/Micuda
First posted on 05 November 2019.
Source: MicrosoftAliases :
TrojanDropper:Win32/Micuda is also known as winpe/BitCoinMiner.BDO, Tool.BtcMine.407, Riskware/BitCoinMiner, RDN/Generic.dx!ddq, Trojan.Win32.Generic.14AFD204.
Explanation :
Installation
TrojanDropper:Win32/Micuda is a malware installer that is commonly distributed with file names such as PCDataApp.exe and app-1009.exe.
Once it launches on your PC it creates a folder in %ProgramFiles%. We have seen it use the following file names:
%ProgramFiles% PCDApp %ProgramFiles% PCData
It creates a number of files in this folder, including a Bitcoin mining application and its related library files, as well as a number of batch files that launch the bitcoin miner. These batch files are detected as Trojan:BAT/Micuda.A, and commonly use the following file names:
astart.bat cstart.bat nstart.bat
The Bitcoin-mining application isn't malicious on its own and is often freely available for download from various Bitcoin community and code source websites. Micuda can use various Bitcoin miners, including those with the following file names:
cudaminer.exe cgminer.exe dgen.exe minerd.exe pmc.exe
TrojanDropper:Win32/Micuda can create an uninstaller that removes the files it creates, except the Bitcoin miner and its library files.
Payload
Installs Bitcoin mining software
This threat installs Trojan:BAT/Micuda.A which is then used to launch a Bitcoin mining application. It launches the application and passes it parameters so it can contact servers that the malware author has setup accounts on. We have seen it contact the following servers:
dataping.net software-cdn.net
The bitcoin mining application runs in the background and uses your PCs system resources. This can make your PC run slower than usual.
Analysis by Amir FoudaLast update 05 November 2019
