Home / malwarePDF  

Trojan:Win32/Vicenor.gen!B


First posted on 16 May 2013.
Source: Microsoft

Aliases :

Trojan:Win32/Vicenor.gen!B is also known as Bitcoin Miner (Sophos), Dropper/Win32.Injector (AhnLab), TR/Zusy.5856.1 (Avira), Trojan.BtcMine.70 (Dr.Web), Trojan.Dropper.USW (BitDefender), Trojan-Dropper.Win32.Injector.geyi (Kaspersky), Virus.Win32.IRCBot.BSX (Ikarus), W32/Injector.AW!tr (other), W32/Trojan2.NUQQ (Command), Win32/CoinMiner.AW (ESET).

Explanation :



Installation

Trojan:Win32/Vicenor.B!gen may be downloaded onto your computer via a drive-by download through an exploit, or you may have downloaded it yourself, thinking it was something else, such as a picture or legitimate program.

In the wild, we have observed the trojan using the following file names:

  • 296291521.gif
  • adobe_restart[1].exe
  • btc[1].exe
  • image19.jpg.pif
  • www2d.gif
  • yif81909.png


When run, the trojan modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: WINSXS32
With data: <file name and location of the trojan>

Sets value: mService
With data: <file name and location of the trojan>



Payload

Uses your computer's power to mine Bitcoins

The trojan contains and runs a Bitcoin mining program, which connects to a Bitcoin server and uses your computer's power to generate Bitcoins. This can severely affect the performance of your computer, making it seem to run slowly.

We have observed the program connecting to the following servers:

  • keep.<removed>.biz:2142/ using ID "bigbob0000001@<removed>.com" and password "password"
  • eacfcf.<removed>.com/ using ID "niggas" and password "password"
  • pool.<removed>.asia:8332/ using ID "redem_check" and password "orneliassssssssss"
  • xxxxxxxxxxxxxxx.<removed>.su:1942/ using ID "tyldix_1" and password "password"


The mining program is run in memory - this means that the trojan does not install the program onto your computer, rather it just runs it.

Additional information

Trojan:Win32/Vicenor.B!gen creates a mutex, possibly as an infection marker to prevent multiple instances running on your computer. The mutex name varies between installations of the trojan; we have observed the following mutexes:

  • whatwhstinthebdtt234905429090
  • uxJLpe1m
  • w8a4w2s3i4t5e6dgtr34d03429394




Analysis by Jeong Mun

Last update 16 May 2013

 

TOP

Malware :

Family: