BKDR_BTMINE.MNR

 Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This malware has received attention from independent media sources and/or other security firms. This malware is a part of a package that generate BitCoins and performs DDOS attacks against targeted entities.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

It connects to the malicious URLs to get a list of server IP addresses and saves it in specific files.

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using specific format.

It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package.

This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

339,968 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

02 Sep 2011

Payload:

Downloads files

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following copies of itself into the affected system:

  • %Windows%\update.5.0\svchost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

  • %Windows%\update.5.0
  • %Windows%\phoenix
  • %Windows%\rpcminer
  • %Windows%\ufa

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor adds and runs the following services:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ImagePath = "%Windows%\update.5.0\svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
DisplayName = "srvbtcclient"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
0 = "Root\LEGACY_SRVBTCCLIENT\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ErrorControl = "0"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\btcclient

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

  • agava
  • agava_start
  • agnitum
  • alwil
  • avast
  • avast_start
  • avira
  • avira_start
  • comodo
  • comodo_start
  • doctor web
  • drweb
  • drweb_start
  • eset
  • ESET NOD32 Antivirus
  • ESET Smart Security
  • ESET SysInspector
  • ESET SysRescue
  • kaspersky
  • Kaspersky Internet Security 2009
  • Kaspersky Internet Security 2010
  • Kaspersky Internet Security 2011
  • Kaspersky Internet Security 7.0
  • KAV_2008
  • KAV_2009
  • KAV_2010
  • KAV_2011
  • KAV_START
  • KAV_TXT
  • KAV_UNINSTALL
  • KAV_URL
  • mcafee
  • mcafee_start
  • NOD_AV_4_2
  • NOD_AV_START
  • NOD_SS_4_2
  • NOD_SS_START
  • NOD_SYSINSP
  • NOD_SYSRESC
  • NOD_TXT
  • NOD_UNINSTALL
  • norton
  • norton_start
  • outpost
  • Outpost Firewall Pro 7.0
  • outpost_start1
  • outpost_start2
  • virus

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

  • ya.ru
  • google.com
  • microsoft.com

NOTES:

This malware is a part of a package that generate BitCoins. Its component malware BKDR_BTMINE.DDOS performs DDOS attacks against targeted entities.

It connects to any of the following malicious URLs to get a list of server IP addresses:

  • http://{BLOCKED}-portal-x86.com/distrib_serv/ip_list_{value}.php
  • http://{BLOCKED}s-z2012.com/distrib_serv/ip_list_{value}.php
  • http://{BLOCKED}vers-win7.com/distrib_serv/ip_list_{value}.php

It saves the list of IP addresses in the following file:

  • %Windows%\btc_client_iplist.txt

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using the following format:

  • http://{IP address}/search=error
  • http://{IP address}/search=ip_list_{value}.txt
  • http://{IP address}/search=ip_list_{value}
  • http://{IP address}/btc/knock_client.php
  • http://{IP address}/btc/knock_good_2.php
  • http://{IP address}/search=myunrar2.exe.txt
  • http://{IP address}/search=myunrar2.exe

Sample IP addresses are as follows:

  • {BLOCKED}.171.247
  • {BLOCKED}1.176.209
  • {BLOCKED}1.130.69
  • {BLOCKED}49.182
  • {BLOCKED}.98.95
  • {BLOCKED}185.129
  • {BLOCKED}.255.172
  • {BLOCKED}.92.203
  • {BLOCKED}.224.93
  • {BLOCKED}172.128
  • It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package as the following:

    • %Windows%\{number}_myunrar2.exe
    • %Windows%\phoenix.rar
    • %Windows%\rpcminer.rar
    • %Windows%\ufa.rar

    It then extract these archives in the following folders:

    • %Windows%\phoenix
    • %Windows%\rpcminer
    • %Windows%\ufa

    It also downloads legitimate GPU and CPU drivers from the following sites to enable the affected system to be able to use the Bitcoin miners effectively:

    • http://{BLOCKED}ad2developer.amd.com
    • http://{BLOCKED}2.ati.com
    • http://{BLOCKED}s.amd.com

      SOLUTION

    Minimum Scan Engine:

    9.200

    Step 1

    For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

    Step 2

    Remove malware files dropped/downloaded by BKDR_BTMINE.MNR

    Step 3

    Restart in Safe Mode

    [ Learn More ]

    Step 4

    Delete this registry key

    [ Learn More ]

    Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

    • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
      • srvbtcclient
    • In HKEY_LOCAL_MACHINE\SOFTWARE
      • btcclient

    Step 5

    Search and delete these folders

    [ Learn More ]
    Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
    • %Windows%\update.5.0
    • %Windows%\phoenix
    • %Windows%\rpcminer
    • %Windows%\ufa

    Step 6

    Search and delete these files

    [ Learn More ]
    There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
    • %Windows%\{number}_myunrar2.exe
    • %Windows%\phoenix.rar
    • %Windows%\rpcminer.rar
    • %Windows%\ufa.rar

    Step 7

    Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_BTMINE.MNR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.