not-a-virus.RiskTool.Win32.BitCoinMiner.lrc_87bdba0778

by malwarelabrobot on January 24th, 2014 in Malware Descriptions.

Trojan.Generic.10020557 (BitDefender), not-a-virus:RiskTool.Win32.BitCoinMiner.lrc (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.BtcMine.156 (DrWeb), Trojan.Generic.10020557 (B) (Emsisoft), Artemis!87BDBA077896 (McAfee), WS.Reputation.1 (Symantec), BV.Malware (Ikarus), Skodna.BitCoinMiner.DX (AVG), Win32:BitCoinMiner-FA [PUP] (Avast), TROJ_FAKELIB.B (TrendMicro)
Behaviour: Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Summary
Technical Details
Removal Recommendations

MD5: 87bdba077896af4cd51a2bfc3d0c080a
SHA1: 324ec19d5f7960d73b13d43ee063ad16b2fd54cd
SHA256: 2dd9ecfcda919ae220689aa53843dc44ae29857caa205971405b321c5f8ed443
SSDeep: 12288:aat0EAH49n8BuA6iQG8nPn/hb64ulDgFD273sFDmS:1t249AoG8RbdulDgFa7Wv
Size: 581162 bytes
File type: broken
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-08-22 16:00:50
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

%original file name%.exe:1660
nircmd.exe:1620
nircmd.exe:1084
reg.exe:228
attrib.exe:1956
system.exe:484

The not-a-virus injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:1660 makes changes in the file system.
The not-a-virus creates and/or writes to the following file(s):

%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes)

The not-a-virus deletes the following file(s):

%WinDir%\syso\critical\__tmp_rar_sfx_access_check_7045609 (0 bytes)

Registry activity

The process %original file name%.exe:1660 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2E 68 B1 E6 B8 96 F5 7F 59 CD 25 FA 75 76 A1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nircmd.exe:1620 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 6D BA D7 F8 1B 0D A4 C5 36 FA BD 5B D1 8E 6A"

The process nircmd.exe:1084 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 94 8E 47 73 15 66 57 08 A4 EA 1F DC 93 2E AA"

The process reg.exe:228 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

The process attrib.exe:1956 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 6B 29 58 34 74 1C 4D 61 8B B9 0B 23 AA BB 6C"

The process system.exe:484 makes changes in the system registry.
The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4B F5 FF 26 D0 AF 15 99 EB DB 90 C0 6C 3B E0"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1660
    nircmd.exe:1620
    nircmd.exe:1084
    reg.exe:228
    attrib.exe:1956
    system.exe:484

  2. Delete the original not-a-virus file.
  3. Delete or disinfect the following files created/modified by the not-a-virus:

    %WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
    %WinDir%\syso\critical\zlib1.dll (100864 bytes)
    %WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
    %WinDir%\syso\critical\antivirus.bat (129 bytes)
    %WinDir%\syso\critical\sys.bat (337 bytes)
    %WinDir%\syso\critical\system.exe (187904 bytes)
    %WinDir%\syso\critical\nircmd.exe (43520 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.