Trojan:BAT/CoinMiner.C is a batch file that is used to launch a Bitcoin mining program that is placed on your computer without your consent.
The Bitcoin mining program uses your computer to solve a complex algorithm that generates Bitcoins for users involved in the Bitcoin P2P (peer-to-peer) network. The results calculated by the mining program are then associated with the attacker's account on a mining pool server.
For more information on Bitcoin currency see https://bitcoin.it/wiki/FAQ.
Installation
Trojan:BAT/CoinMiner.C usually arrives in a self-extracting RAR file (WinRAR archive).
In the wild, the most common name for this archive that we have observed is start1.exe.
When the RAR file is run, it places a number of additional files onto your computer. By default, the RAR file will extract these files to the %TEMP% directory.
These files are as follows:
- %TEMP%\hstart.exe - a clean utility that hides windows (Note: This file is not detected by Microsoft antivirus solutions.)
- %TEMP%\x.bat - a batch file, detected as Trojan:BAT/CoinMiner.C
- %TEMP%\x11811.exe - a Bitcoin mining program, which may be detected as Program:Win32/CoinMiner
When it has placed these files on your computer, it launches the window-hiding utility, which in turn launches the Trojan:BAT/CoinMiner.C batch file. The batch file launches the Bitcoin mining program which runs without your knowledge.
Payload
Runs a program without consent
Trojan:BAT/CoinMiner.C launches the Bitcoin mining program that uses your computer to generate Bitcoins which are deposited into the attacker's account on the mining pool server x.miners.in.
The mining program might use your computer's resources and cause it to run slowly or take a long time to open programs.
Terminates processes
Trojan:BAT/CoinMiner.C attempts to terminate the following processes if they are running on your computer:
- svchoost.exe
- mamita.exe
- x11811.exe
These processes may be related to Bitcoin mining software or previous MineBicoin variants.
Analysis by Amir Fouda
