Coinminer.BAT.VIPOR.A
Trojan.BAT.CoinMiner (IKARUS)
Windows
Threat Type: Coinminer
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Coinminer arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Coinminer adds the following processes:
- wmic cpu get numberofcores^|findstr "^[0-9] → retrieve the number of CPU cores in the system.
- Antivirus.exe --disable-gpu --algorithm verushash --pool sa.vipor.net:5040 --wallet {wallet id}.Sub4 -p x -t %num% → coinmining capabilities
- ping -n 2 localhost
- ping -n 240 localhost
- tasklist /NH /FI "imagename eq tskmgr.exe" → enumerate running tasks
- taskkill /IM Antivirus.exe /F
Information Theft
This Coinminer gathers the following data:
- Number of CPU cores
- Current Running Tasks
Other Details
This Coinminer does the following:
- It terminates itself if only one CPU core was found in the system.
- It terminates itself if task manager is found running in the system.
- It connects to a remote mining pool:
- {BLOCKED}or.net:5040
SOLUTION
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as Coinminer.BAT.VIPOR.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.