Note! Your computer might be affected by BitCoin Miner and other threats.
This article aims to help you detect and remove the newly emerged fileless BitCoin miner software and protect your computer in the future.
Fileless malware is shaping up to be the next big thing in cyber-security, and it will not go away soon. One such virus is the latest discovered BitCoin mining malware. This infection has the only purpose to mine BitCoin, Monero or other cryptocurrencies on the computer it has infected. For cryptocurrency mining to occur, the malware may run processes on the infected machine that may result in the significant over-usage of its resources, and it’s slowing down. And the worst part is that there are no files on your computer, meaning it is very difficult to detect it. If you believe you are infected with this BitCoin miner malware, we advise you to read this article to learn how to remove it from your computer and protect yourself in the future as well.
Aims to infect your computer and use it’s CPU, GPU and other resources to turn it into a miner for cryptocurrencies.
Hightened CPU and GPU usage and overheating. The victim PC may break if this virus mines for longer periods of time.
Spam Emails, Email Attachments, Executable files
See If Your System Has Been Affected by BitCoin Miner
CryptoCurrency mining viruses have continued to evolve and some of them are now capable of acting on themselves. One of those viruses is the new form of Rakhni Ransomware+Miner Trojan, which has been detected to be fully capable of droping an .exe file that is ran. This .exe file scans your computer and looks for the following parameters:
If your computer has a folder, called BitCoin in the %AppData% directory.
If your PC has a dual-core or higher processor.
If the virus checks that you have a BitCoin folder, it immediately estimates that you should be infected with ransomware because you can make a payment immediately. If not and you PC is on a dual-core and more powerful processors, the virus immediately runs a cryptocurrency miner, using your CPU and GPU to mine for the following cryptocurrencies:
You can find more information on the Rakhni miner below:
Besides this miner, we have detected a lot of new miner viruses out there with different capabilities. Some miner viruses were as harmless as to only mine your PC, while others, more hasty were completely able to display ads and also infect your PC with information stealing mawlare that directly steals your data.
How Does BitCoin Miner Infect
At this point, it is not clear as to what the exact infection method of this mining malware is. However, it may appear on your computer as a result of executing multiple different types of malware previously executed on your computers, such as Trojans, Worms, and others. The methods of distribution and infection vary, but they may be conducted via:
Malicious web links posted as a spam message online.
Web links that exist In various forms, as fake buttons or altered banners on a website as a result of having a PUP on your computer.
Via malicious e-mail spam attachment with a convincing message to open it.
The infection process itself is conducted with the aid of one of the exploits used in the WannaCry and NotPetya ransomware outbreaks which came out earlier this year. The exploit is known by the name EternalBlue and is a zero-day type of exploit for Windows versions from Windows XP up to Windows 10. Fortunately, Microsoft has released patches for the exploit, so anyone who has a legitimate Windows installation should immediately:
Disable SMB and Download the latest security patches from Microsoft.
Analysis of BitCoin Miner
The primary region affected by this ransomware, also dubbed by TrendMicro researchers as COINMINER.QO trojan is the Asia-Pacific region with the largest percentage of infected devices to be detected in Japan, followed by Indonesia and Taiwan.
As stated before, the BitCoin miner uses the Windows Management Instrumentation service (WMI), which has an application, called scrcons.exe, used to execute scripts. Altogether, the malware becomes completely invisible, because it does not drop any types of files on the computers infected by it.
The malicious activity of the virus is comprised of executing multiple malicious scripts on the infected PC by a backdoor which the BitCoin miner malware runs beforehand. These scripts have the purpose to connect the virus to a control and command server.
Furthermore, besides connecting to one command and control server, the virus also connects to a C&C server again, most likely used for communication. It then uses different classes to execute further scripts that allow for various actions to take place:
Remove control of the virus.
Download the cryptocurrency mining software and execute it filelessly.
Add the victim PC to a mining pool network in which all infected computers are also added.
Update December 2017 – New BitCoin Miners Detected
Being very similar to one of the Adylkuzz Trojan, the Bitcoinminer.sx may come on your computer via malicous e-mails sent over the web, that deceive you into thinking you are receiving an invoice, banking statement, receipt or a purchase letter for a product. The miner malware may even have advanced capabilities, like to update itself or install other miners on the computer of the victim a s well as collect keystrokes and other crucial data.
Similar to Bitcoinminer.sx, the Upup.exe malware also aims to use the CPU and GPU resources on the computer of the victim by connecting the computer to a mining pool. In addition to this, the malware also modifies the registry sub-keys, responsible for the Certificats in order to obtain certain permissions later on, like network information, system details, passwords and other data.
This malware is of unknown origins and most of what is known about it is that it uses a fake Service.exe process in order to perform the mining operation. The virus used to infect victims by posing as a fake document, program setup, patch or software license activator and it was primarily spread via malicious e-mail spam messages. It was also reported by experts to have Trojan capabilities, meaning that it may steal your login information, like passwords, user names and may also update itself and remotely control your PC.
The WDF.exe is one of two processes which are dropped on a newly created folder, named “wdf”. The folder of this miner Trojan horse is located in the %Windows% directory and it also contains the taskmon.exe malicious file, which may also install other miners on the victim’s computer, such as a miner, reported to activate a process, named NvProfileUpdater64.exe.
Since those classes are used to trigger the malicious script, they cannot be interacted with by simply disabling WMI as shown above. So this is why manual removal of BitCoin miner may be a challenging process.
The best practice to detect the malicious processes running in the background of your computer and associated with BitCoin miner is to automatically scan for them with malware-specific removal software. This will also ensure that these malicious objects are removed safely, without risking to damage critical Windows Components by manually removing them. For more information and an option on how to remove BitCoin fileless miner, one method is to follow the instructions below.
To remove BitCoin Miner follow these steps:
1. Boot Your PC In Safe Mode to isolate and remove BitCoin Miner files and objects
Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your PC with SpyHunter
Boot Your PC Into Safe Mode
1. For Windows XP, Vista and 7. 2. For Windows 8, 8.1 and 10. Fix registry entries created by malware and PUPs on your PC.
For Windows XP, Vista and 7 systems:
1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu. 2.
– For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.
– For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.
3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account
While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.
Step 1: Open up the Start Menu.
Step 2: Click on the Power button (for Windows 8 it is the little arrow next to the “Shut Down” button) and whilst holding down “Shift” click on Restart.
Step 3: After reboot, a blue menu with options will appear. From them you should choose Troubleshoot.
Step 4: You will see the Troubleshoot menu. From this menu choose Advanced Options.
Step 5: After the Advanced Options menu appears, click on Startup Settings.
Step 6: From the Startup Settings menu, click on Restart.
Step 7: A menu will appear upon reboot. You can choose any of the three Safe Mode options by pressing its corresponding number and the machine will restart.
Some malicious scripts may modify the registry entries on your computer to change different settings. This is why cleaning your Windows Registry Database is recommended. Since the tutorial on how to do this is a bit long and tampering with registries could damage your computer if not done properly you should refer and follow our instructive article about fixing registry entries, especially if you are unexperienced in that area.
2. Find files created by BitCoin Miner on your PC
Find files created by BitCoin Miner
1. For Windows 8, 8.1 and 10. 2. For Windows XP, Vista, and 7.
For Newer Windows Operating Systems
On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
Navigate to the search box in the top-right of your PC’s screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be “fileextension:exe”. After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navination box to fill up in case the PC is looking for the file and hasn’t found it yet.
For Older Windows Operating Systems
In older Windows OS’s the conventional approach should be the effective one:
Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
IMPORTANT! Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode. This will enable you to install and use SpyHunter 5 successfully.
Use SpyHunter to scan for malware and unwanted programs
3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
Scan your PC and Remove BitCoin Miner with SpyHunter Anti-Malware Tool and back up your data
1. Install SpyHunter to scan for BitCoin Miner and remove them.2. Scan with SpyHunter, Detect and Remove BitCoin Miner. Back up your data to secure it from malware in the future.
Step 1: Click on the “Download” button to proceed to SpyHunter’s download page.
Step 2: Guide yourself by the download instructions provided for each browser.
Step 3: After you have installed SpyHunter, wait for it to update automatically.
Step 1: After the update process has finished, click on the ‘Malware/PC Scan’ tab. A new window will appear. Click on ‘Start Scan’.
Step 2: After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the ‘Next’ button.
Step 3: If any threats have been removed, it is highly recommended to restart your PC.
Back up your data to secure it against attacks in the future
IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats. We recommend you to read more about it and to download SOS Online Backup.