BKDR_BTMINE.MNR | Low Risk | Trend Micro Threat Encyclopedia

Export page to PDF

BKDR_BTMINE.MNR

Malware type: Backdoor
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
Encrypted: Yes
In the wild: Yes

Overall Risk Rating:

Low

Damage Potential:

High

Distribution Potential:

Low

Reported Infection:

Low

Overview

This malware has received attention from independent media sources and/or other security firms. This malware is a part of a package that generate BitCoins and performs DDOS attacks against targeted entities.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

It connects to the malicious URLs to get a list of server IP addresses and saves it in specific files.

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using specific format.

It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package.

This backdoor may be downloaded by other malware/grayware/spyware from remote sites. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

Technical Details

File size: 339,968 bytes
File type: EXE
Memory resident: Yes
Initial samples received date: 02 Sep 2011
Payload: Downloads files

Arrival Details

This backdoor may be downloaded by other malware/grayware/spyware from remote sites.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This backdoor drops the following copies of itself into the affected system:

%Windows%\update.5.0\svchost.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

%Windows%\update.5.0
%Windows%\phoenix
%Windows%\rpcminer
%Windows%\ufa

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This backdoor adds and runs the following services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ImagePath = "%Windows%\update.5.0\svchost.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
DisplayName = "srvbtcclient"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Security
Security = "{hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
0 = "Root\LEGACY_SRVBTCCLIENT\0000"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
Count = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient\Enum
NextInstance = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Type = "10"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\srvbtcclient
ErrorControl = "0"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\btcclient

Process Termination

This backdoor terminates processes or services that contain any of the following strings if found running in the affected system's memory:

agava
agava_start
agnitum
alwil
avast
avast_start
avira
avira_start
comodo
comodo_start
doctor web
drweb
drweb_start
eset
ESET NOD32 Antivirus
ESET Smart Security
ESET SysInspector
ESET SysRescue
kaspersky
Kaspersky Internet Security 2009
Kaspersky Internet Security 2010
Kaspersky Internet Security 2011
Kaspersky Internet Security 7.0
KAV_2008
KAV_2009
KAV_2010
KAV_2011
KAV_START
KAV_TXT
KAV_UNINSTALL
KAV_URL
mcafee
mcafee_start
NOD_AV_4_2
NOD_AV_START
NOD_SS_4_2
NOD_SS_START
NOD_SYSINSP
NOD_SYSRESC
NOD_TXT
NOD_UNINSTALL
norton
norton_start
outpost
Outpost Firewall Pro 7.0
outpost_start1
outpost_start2
virus

Other Details

This backdoor connects to the following URL(s) to check for an Internet connection:

ya.ru
google.com
microsoft.com

NOTES:

This malware is a part of a package that generate BitCoins. Its component malware BKDR_BTMINE.DDOS performs DDOS attacks against targeted entities.

It connects to any of the following malicious URLs to get a list of server IP addresses:

http://{BLOCKED}-portal-x86.com/distrib_serv/ip_list_{value}.php
http://{BLOCKED}s-z2012.com/distrib_serv/ip_list_{value}.php
http://{BLOCKED}vers-win7.com/distrib_serv/ip_list_{value}.php

It saves the list of IP addresses in the following file:

%Windows%\btc_client_iplist.txt

The malware connects to the IP addresses in the obtained list to send receive information, download other malware, and get a new list of IP addresses. It builds the URL using the following format:

http://{IP address}/search=error
http://{IP address}/search=ip_list_{value}.txt
http://{IP address}/search=ip_list_{value}
http://{IP address}/btc/knock_client.php
http://{IP address}/btc/knock_good_2.php
http://{IP address}/search=myunrar2.exe.txt
http://{IP address}/search=myunrar2.exe

Sample IP addresses are as follows:

{BLOCKED}.171.247

{BLOCKED}1.176.209

{BLOCKED}1.130.69

{BLOCKED}49.182

{BLOCKED}.98.95

{BLOCKED}185.129

{BLOCKED}.255.172

{BLOCKED}.92.203

{BLOCKED}.224.93

{BLOCKED}172.128

It downloads publicly available Bitcoin miners such as Phoenix, RPCminer, and Ufasoft. It saves the downloaded package as the following:

%Windows%\{number}_myunrar2.exe
%Windows%\phoenix.rar
%Windows%\rpcminer.rar
%Windows%\ufa.rar

It then extract these archives in the following folders:

%Windows%\phoenix
%Windows%\rpcminer
%Windows%\ufa

It also downloads legitimate GPU and CPU drivers from the following sites to enable the affected system to be able to use the Bitcoin miners effectively:

http://{BLOCKED}ad2developer.amd.com
http://{BLOCKED}2.ati.com
http://{BLOCKED}s.amd.com

Solution

Minimum scan engine: 9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Remove malware files dropped/downloaded by BKDR_BTMINE.MNR

BKDR_BTMINE.DDOS

Step 3

Restart in Safe Mode

[ Learn more ]

Step 4

Delete this registry key

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- srvbtcclient
In HKEY_LOCAL_MACHINE\SOFTWARE
- btcclient

Step 5

Search and delete these folders

[ Learn more ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%Windows%\update.5.0
%Windows%\phoenix
%Windows%\rpcminer
%Windows%\ufa

Step 6

Search and delete these files

[ Learn more ]

There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%Windows%\{number}_myunrar2.exe
%Windows%\phoenix.rar
%Windows%\rpcminer.rar
%Windows%\ufa.rar

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_BTMINE.MNR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.

Analysis By: Karl Dominguez

Product Support

Go To:

Popular Products

More Support

Go to:

Popular Products

Threat Encyclopedia

Overview

Technical Details

Solution