This blog post has been created with the main idea in mind to explain how you can remove the NRSMiner virus from your computer completely.
A new cryptocurrency miner malware, going by the name NRSMiner has been reported to affect computers and take advantage of the CPU and GPU resources and generate up to 100% of their usage to mine for cryptocurrencies. In addition to this, the virus may also perform other unwanted activities on the computers that have been infected by it. The main one of those could be related to spyware actions directly started on the infected machine after it has been compromised. If your computer has been infected by the NRSMiner, we would recommend that you read this article.
Threat Summary
Name | NRSMiner |
Type | CryptoCurrency Miner Trojan / Malware |
Short Description | NRSMiner aims to mine for the cryptocurrency Monero at the expense of your computer’s resources. |
Symptoms | Your PC may begin to stagger and even become non-responsive at times. 100% of your CPU may be used by the process HPDriver.exe running actively in the background. |
Distribution Method | Via fake setups or malicious e-mail spam messages. |
Detection Tool |
See If Your System Has Been Affected by malware
Download
Malware Removal Tool
|
User Experience | Join Our Forum to Discuss NRSMiner. |
NRSMiner – How Did I Get It
The main method via which the NRSMiner propagates is usually conducted via an exploit that is well known – Eternal Blue. This same exploit was used in the 2017 [wplinkpreview url=”https://sensorstechforum.com/wannacry-outbreak-tsmc-170-million/”]WannaCry infection outbreak. The miner propagates systems of a vulnerable network after it performs it’s first infection, but the good news is that it only attacks patched computers.
So far, F-Secure malware researchers have reported in their analysis the following main two methods by which a computer can get infected with NRSMiner:
- Via download an update module via a system that has already been compromised by a previous version of the NRSMiner malware.
- Via infecting a system in the same intranet that does not have the MS17-010 patch against Eternal Blue exploit. The infection may occur from an already infected device.
NRSMiner – Analysis
The main infection activity of this miner is that it first checks a mutex ({502CBAF5-55E5-F190-16321A4}) to see if the miner has already infected the victim PC before and if so, the miner malware does not run. If not however, the miner drops and runs the following main malicious file:
→%Temp%\WUDHostUpgrade.exe
Once having done this, the miner may extract the different files from it’s resources, more specifically, the following files;
→ %SystemRoot%\System32\MarsTraceDiagnostics.xml
%SystemRoot%\sysWOW64\snmpstorsrv.dll
The files may have the opposite location, but they generally are located either in sysWOW64 or system32. Once having dropped the files, NRSMiner copies data from CreationTime and LastAccessTime and LastWriteTime properties from the system process svchost.exe and updates properties for MarsTraceDiagnostics.xml and snmpstorsrv.dll files.
At last, the WUDHostUpdate.exe malicious file installs the snmpstorsrv and snmpstorsrv.dll which is registered as servicedll. Finally the virus file self-deletes.
Te newly made process, called Snmpstorsrv.dll starts with the following Windows administrator command:
→svchost.exe –k netsvcs
When started, the file performs the following malicious activities on your computer:
- Sends Processor data.
- Sends system information.
- Opens port 60153.
- Creates MgmtFilterShim.ini
- Runs Wininit.exe
- Downloads Updater
- Extracts C&C and Miner configuration
- Deletes older versions.
- Checks for module updates.
- Runs the new miner.
The service firstly spawns a file, called MgmtFilterShim.ini in the %systemroot%\system32 folder, writes the “+” value in it and then modifies its CreationTime, LastAccessTime and LastWritetime properties same as the ones in svchost.exe.
The virus uses the following domains to update itself and to relay information:
→ reader[.]pamphler[.]com/resource
handle[.]pamphler[.]com/modules.dat
In addition ton this, the miner executes the TurstedHostex.exe process and it connects to the following sites, where almost all of the system and network information of the infected computer is leaked:
→ pluck[.]moisture[.]tk
jump[.]taucepan[.]com
When the virus takes into account the processor of the victim PC, it then writes down several different types of files, called x86.dll and x64.dll in the %AppDiagnostics% directory. The processes get injected via Wininit.exe file into sass.exe via the spoolsv.exe backdoor installed earlier to begin mining for cryptocurrencies.
The miner component of NRSMiner uses the XMRig Monero CPU miner in order to generate Monero tokens. It runs the miner with the following commands
→“v –o fox.weilders.com:443 –u zec%d –p x –t %d –donate-level=1 –nicehash”
“z –o asthma.weilders.com”443 –u zec –p x –bfactor=12 –bsleep=1000 –donate-level=1 –nicehash”
During this time, the computer of the victim begins to slow down and may freeze very often.
Remove NRSMiner Malware from Your Computer
If you want to remove the NRSMiner virus manually, you can proceed following the manual removal underneath, which are the first two steps. You can use them in combination with the “Analysis” part of the article to delete all files spawned and created by NRSMiner and then block all of the domains it has set up connection with to relay information from your computer.
Another and more recommended removal method is if you follow the latter steps to remove the NRSMiner by scanning our PC with an advanced anti-malware program, which will detect and remove all of the associated files and objects that are related to NRSMiner on your computer. We will have you know that this is the proffered choice by security experts because not only the malware files and objects are deleted, but also your computer will be protected against most malicious files and intrusive objects in the future too.
Preparation before removing NRSMiner.
Before starting the actual removal process, we recommend that you do the following preparation steps.
- Make sure you have these instructions always open and in front of your eyes.
- Do a backup of all of your files, even if they could be damaged. You should back up your data with a cloud backup solution and insure your files against any type of loss, even from the most severe threats.
- Be patient as this could take a while.
- Scan for Malware
- Fix Registries
- Remove Virus Files
Step 1: Scan for NRSMiner with SpyHunter Anti-Malware Tool
Step 2: Clean any registries, created by NRSMiner on your computer.
The usually targeted registries of Windows machines are the following:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
You can access them by opening the Windows registry editor and deleting any values, created by NRSMiner there. This can happen by following the steps underneath:
Step 3: Find virus files created by NRSMiner on your PC.
1.For Windows 8, 8.1 and 10.
For Newer Windows Operating Systems
1: On your keyboard press + R and write explorer.exe in the Run text box and then click on the Ok button.
2: Click on your PC from the quick access bar. This is usually an icon with a monitor and its name is either “My Computer”, “My PC” or “This PC” or whatever you have named it.
3: Navigate to the search box in the top-right of your PC's screen and type “fileextension:” and after which type the file extension. If you are looking for malicious executables, an example may be "fileextension:exe". After doing that, leave a space and type the file name you believe the malware has created. Here is how it may appear if your file has been found:
N.B. We recommend to wait for the green loading bar in the navigation box to fill up in case the PC is looking for the file and hasn't found it yet.
2.For Windows XP, Vista, and 7.
For Older Windows Operating Systems
In older Windows OS's the conventional approach should be the effective one:
1: Click on the Start Menu icon (usually on your bottom-left) and then choose the Search preference.
2: After the search window appears, choose More Advanced Options from the search assistant box. Another way is by clicking on All Files and Folders.
3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.
Now you should be able to discover any file on Windows as long as it is on your hard drive and is not concealed via special software.
NRSMiner FAQ
What Does NRSMiner Trojan Do?
The NRSMiner Trojan is a malicious computer program designed to disrupt, damage, or gain unauthorized access to a computer system. It can be used to steal sensitive data, gain control over a system, or launch other malicious activities.
Can Trojans Steal Passwords?
Yes, Trojans, like NRSMiner, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.
Can NRSMiner Trojan Hide Itself?
Yes, it can. A Trojan can use various techniques to mask itself, including rootkits, encryption, and obfuscation, to hide from security scanners and evade detection.
Can a Trojan be Removed by Factory Reset?
Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind that there are more sophisticated Trojans that leave backdoors and reinfect even after a factory reset.
Can NRSMiner Trojan Infect WiFi?
Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.
Can Trojans Be Deleted?
Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.
Can Trojans Steal Files?
Yes, Trojans can steal files if they are installed on a computer. This is done by allowing the malware author or user to gain access to the computer and then steal the files stored on it.
Which Anti-Malware Can Remove Trojans?
Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.
Can Trojans Infect USB?
Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.
About the NRSMiner Research
The content we publish on SensorsTechForum.com, this NRSMiner how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific trojan problem.
How did we conduct the research on NRSMiner?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of trojans (backdoor, downloader, infostealer, ransom, etc.)
Furthermore, the research behind the NRSMiner threat is backed with VirusTotal.
To better understand the threat posed by trojans, please refer to the following articles which provide knowledgeable details.