BitCoin malware

Last weekend a friend of mine told me about some issue with her new laptop: suddenly IE’s home page was set to Desjardins (https://accesd.desjardins.com/). Well, nothing wrong, it is a legitimate web site except one thing that she was not able to change it! I agreed to take a look and asked to run the “Hijack This”. Immediately I found something suspicious:

Running processes:
...
C:\Users\...\AppData\Roaming\Ehopty\uwfo.exe
...
O1 - Hosts: 198.15.104.132 www.google-analytics.com.
O1 - Hosts: 198.15.104.132 ad-emea.doubleclick.net.
O1 - Hosts: 198.15.104.132 www.statcounter.com.
O1 - Hosts: 72.29.93.243 www.google-analytics.com.
O1 - Hosts: 72.29.93.243 ad-emea.doubleclick.net.
O1 - Hosts: 72.29.93.243 www.statcounter.com.
...
O4 - HKCU\..\Run: [Intel] C:\Users\...\AppData\Roaming\BF002E.exe
O4 - HKCU\..\Run: [HotKeysCmds] C:\Users\...\AppData\Local\Temp\CF4F.EXE
O4 - HKCU\..\Run: [xivwxuaggnirrpeecys] C:\Users\...\AppData\Roaming\xivwxuaggnirrpeecys.exe
O4 - HKCU\..\Run: [Emarco] C:\Users\...\AppData\Roaming\Ehopty\uwfo.exe

First of all I’m very suspicious about any EXEs are residing in the “AppData” folder. Also it is really suspicious when well-known web hosts like google-analytics.com and doubleclick.net are redirected to unknown host, and it is very suspicious when the browser opens the Google.com instead of the virustotal.com

I checked the “AppData/Rouming” folder, it contained mentioned EXE files and also their numerous copies. My next step was to remove malicious registry keys and reboot the laptop. It did the magic – IE’s home page was changed with easiness and the virustotal.com was not redirected to Google.com. Suspicious files were submitted to the virustotal.com. No surprise – McAfee/Symantec did not detect trojans (the laptop had OEM version of McAfee) but some less popular antiviruses had heuristic hits. Results:

xivwxuaggnirrpeecys.exe
uwfo.exe
3FDE.exe

Last two files “ufwo.exe” and “3FDE.exe” have dynamic names – each of them starts malware re-create the same files with different names.

I was curious and tested the “xivwxuaggnirrpeecys.exe” using the VMWare (Windows XP). The Wireshark quickly revealed that the trojan has yet another purpose – using an infected computer to mine BitCoins and send results to the host pool2.50btc.com

Right, the trojan not only steals user’s passwords but also it turns the victim to a cell of a virtual super-computer for BitCoin mining.

Leave a comment