NRSMiner Virus – How to Remove It
REMOÇÃO DE AMEAÇAS

NRSMiner Malware – How to Remove It

WaterMiner Monero MinerThis blog post has been created with the main idea in mind to explain how you can remove the NRSMiner virus do seu computador completamente.

A new cryptocurrency miner malware, going by the name NRSMiner has been reported to affect computers and take advantage of the CPU and GPU resources and generate up to 100% of their usage to mine for cryptocurrencies. Além desta, the virus may also perform other unwanted activities on the computers that have been infected by it. The main one of those could be related to spyware actions directly started on the infected machine after it has been compromised. If your computer has been infected by the NRSMiner, nós recomendamos que você leia este artigo.

Resumo ameaça

NomeNRSMiner
TipoCriptomoeda Miner Trojan / Malware
Pequena descriçãoNRSMiner aims to mine for the cryptocurrency Monero at the expense of your computer’s resources.
Os sintomasSeu PC pode começar a cambalear e mesmo tornar-se não-responsivos às vezes. 100% de sua CPU pode ser usada pelo processo HPDriver.exe funcionando ativamente em segundo plano.
distribuição MétodoVia configurações falsos ou mensagens de spam malicioso de e-mail.
Ferramenta de detecção See If Your System Has Been Affected by NRSMiner

Baixar

Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss NRSMiner.

NRSMiner – How Did I Get It

The main method via which the NRSMiner propagates is usually conducted via an exploit that is well known – Eternal Blue. This same exploit was used in the 2017

WannaCry infection outbreak. The miner propagates systems of a vulnerable network after it performs it’s first infection, but the good news is that it only attacks patched computers.

Tão longe, F-Secure malware researchers have reported in their analysis the following main two methods by which a computer can get infected with NRSMiner:

  • Via download an update module via a system that has already been compromised by a previous version of the NRSMiner malware.
  • Via infecting a system in the same intranet that does not have the MS17-010 patch against Eternal Blue exploit. The infection may occur from an already infected device.

NRSMiner – Análise

The main infection activity of this miner is that it first checks a mutex ({502CBAF5-55E5-F190-16321A4}) to see if the miner has already infected the victim PC before and if so, the miner malware does not run. Se não no entanto, the miner drops and runs the following main malicious file:

→%Temp%\WUDHostUpgrade.exe

Depois de ter feito isso, the miner may extract the different files from it’s resources, mais especificamente, the following files;

→ %SystemRoot%\System32\MarsTraceDiagnostics.xml
%SystemRoot%\sysWOW64\snmpstorsrv.dll

The files may have the opposite location, but they generally are located either in sysWOW64 ou system32. Once having dropped the files, NRSMiner copies data from CreationTime e LastAccessTime e LastWriteTime properties from the system process svchost.exe and updates properties for MarsTraceDiagnostics.xml and snmpstorsrv.dll arquivos.

Finalmente, a WUDHostUpdate.exe malicious file installs the snmpstorsrv and snmpstorsrv.dll which is registered as servicedll. Finally the virus file self-deletes.

Te newly made process, chamado Snmpstorsrv.dll starts with the following Windows administrator command:

svchost.exe –k netsvcs

When started, the file performs the following malicious activities on your computer:

  • Sends Processor data.
  • Sends system information.
  • Opens port 60153.
  • Creates MgmtFilterShim.ini
  • Runs Wininit.exe
  • Downloads Updater
  • Extracts C&C and Miner configuration
  • Deletes older versions.
  • Checks for module updates.
  • Runs the new miner.

The service firstly spawns a file, chamado MgmtFilterShim.ini no %systemroot%\system32 pasta, writes the “+” value in it and then modifies its CreationTime, LastAccessTime e LastWritetime properties same as the ones in svchost.exe.

The virus uses the following domains to update itself and to relay information:

reader[.]pamphler[.]com/resource
lidar com[.]pamphler[.]com/modules.dat

In addition ton this, the miner executes the TurstedHostex.exe process and it connects to the following sites, where almost all of the system and network information of the infected computer is leaked:

pluck[.]moisture[.]tk
saltar[.]taucepan[.]com

When the virus takes into account the processor of the victim PC, it then writes down several different types of files, called x86.dll and x64.dll in the %AppDiagnostics% diretório. The processes get injected via Wininit.exe file into sass.exe via the spoolsv.exe backdoor installed earlier to begin mining for cryptocurrencies.

The miner component of NRSMiner uses the XMRig Monero CPU miner in order to generate Monero tokens. It runs the miner with the following commands

“v –o fox.weilders.com:443 –u zec%d –p x –t %d –donate-level=1 –nicehash”
“z –o asthma.weilders.com”443 –u zec –p x –bfactor=12 –bsleep=1000 –donate-level=1 –nicehash”

Durante este tempo, the computer of the victim begins to slow down and may freeze very often.

Remove NRSMiner Malware from Your Computer

Se você deseja remover o NRSMiner virus manually, you can proceed following the manual removal underneath, which are the first two steps. You can use them in combination with the “Analysis” part of the article to delete all files spawned and created by NRSMiner and then block all of the domains it has set up connection with to relay information from your computer.

Another and more recommended removal method is if you follow the latter steps to remove the NRSMiner by scanning our PC with an advanced anti-malware program, which will detect and remove all of the associated files and objects that are related to NRSMiner on your computer. We will have you know that this is the proffered choice by security experts because not only the malware files and objects are deleted, but also your computer will be protected against most malicious files and intrusive objects in the future too.

Avatar

Ventsislav Krastev

Ventsislav tem vindo a cobrir o mais recente de malware, desenvolvimentos de software e mais recente tecnologia em SensorsTechForum para 3 anos. Ele começou como um administrador de rede. Formado marketing bem, Ventsislav também tem paixão pela descoberta de novas mudanças e inovações em cibersegurança que se tornam mudanças do jogo. Depois de estudar Gestão da Cadeia de Valor e, em seguida, Administração de Rede, ele encontrou sua paixão dentro cybersecrurity e é um crente forte na educação básica de cada usuário para a segurança on-line.

mais Posts - Local na rede Internet

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...