NRSMiner Virus – How to Remove It
THREAT REMOVAL

NRSMiner Malware – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

WaterMiner Monero MinerThis blog post has been created with the main idea in mind to explain how you can remove the NRSMiner virus from your computer completely.

A new cryptocurrency miner malware, going by the name NRSMiner has been reported to affect computers and take advantage of the CPU and GPU resources and generate up to 100% of their usage to mine for cryptocurrencies. In addition to this, the virus may also perform other unwanted activities on the computers that have been infected by it. The main one of those could be related to spyware actions directly started on the infected machine after it has been compromised. If your computer has been infected by the NRSMiner, we would recommend that you read this article.

Threat Summary

NameNRSMiner
TypeCryptoCurrency Miner Trojan / Malware
Short DescriptionNRSMiner aims to mine for the cryptocurrency Monero at the expense of your computer’s resources.
SymptomsYour PC may begin to stagger and even become non-responsive at times. 100% of your CPU may be used by the process HPDriver.exe running actively in the background.
Distribution MethodVia fake setups or malicious e-mail spam messages.
Detection Tool See If Your System Has Been Affected by NRSMiner

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss NRSMiner.

NRSMiner – How Did I Get It

The main method via which the NRSMiner propagates is usually conducted via an exploit that is well known – Eternal Blue. This same exploit was used in the 2017

As a result of the WannaCry attack, a number of TSMC factories were damaged, with the outbreak costing the company some $170 million.
WannaCry infection outbreak. The miner propagates systems of a vulnerable network after it performs it’s first infection, but the good news is that it only attacks patched computers.

So far, F-Secure malware researchers have reported in their analysis the following main two methods by which a computer can get infected with NRSMiner:

  • Via download an update module via a system that has already been compromised by a previous version of the NRSMiner malware.
  • Via infecting a system in the same intranet that does not have the MS17-010 patch against Eternal Blue exploit. The infection may occur from an already infected device.

NRSMiner – Analysis

The main infection activity of this miner is that it first checks a mutex ({502CBAF5-55E5-F190-16321A4}) to see if the miner has already infected the victim PC before and if so, the miner malware does not run. If not however, the miner drops and runs the following main malicious file:

→%Temp%\WUDHostUpgrade.exe

Once having done this, the miner may extract the different files from it’s resources, more specifically, the following files;

→ %SystemRoot%\System32\MarsTraceDiagnostics.xml
%SystemRoot%\sysWOW64\snmpstorsrv.dll

The files may have the opposite location, but they generally are located either in sysWOW64 or system32. Once having dropped the files, NRSMiner copies data from CreationTime and LastAccessTime and LastWriteTime properties from the system process svchost.exe and updates properties for MarsTraceDiagnostics.xml and snmpstorsrv.dll files.

At last, the WUDHostUpdate.exe malicious file installs the snmpstorsrv and snmpstorsrv.dll which is registered as servicedll. Finally the virus file self-deletes.

Te newly made process, called Snmpstorsrv.dll starts with the following Windows administrator command:

→svchost.exe –k netsvcs

When started, the file performs the following malicious activities on your computer:

  • Sends Processor data.
  • Sends system information.
  • Opens port 60153.
  • Creates MgmtFilterShim.ini
  • Runs Wininit.exe
  • Downloads Updater
  • Extracts C&C and Miner configuration
  • Deletes older versions.
  • Checks for module updates.
  • Runs the new miner.

The service firstly spawns a file, called MgmtFilterShim.ini in the %systemroot%\system32 folder, writes the “+” value in it and then modifies its CreationTime, LastAccessTime and LastWritetime properties same as the ones in svchost.exe.

The virus uses the following domains to update itself and to relay information:

→ reader[.]pamphler[.]com/resource
handle[.]pamphler[.]com/modules.dat

In addition ton this, the miner executes the TurstedHostex.exe process and it connects to the following sites, where almost all of the system and network information of the infected computer is leaked:

→ pluck[.]moisture[.]tk
jump[.]taucepan[.]com

When the virus takes into account the processor of the victim PC, it then writes down several different types of files, called x86.dll and x64.dll in the %AppDiagnostics% directory. The processes get injected via Wininit.exe file into sass.exe via the spoolsv.exe backdoor installed earlier to begin mining for cryptocurrencies.

The miner component of NRSMiner uses the XMRig Monero CPU miner in order to generate Monero tokens. It runs the miner with the following commands

→“v –o fox.weilders.com:443 –u zec%d –p x –t %d –donate-level=1 –nicehash”
“z –o asthma.weilders.com”443 –u zec –p x –bfactor=12 –bsleep=1000 –donate-level=1 –nicehash”

During this time, the computer of the victim begins to slow down and may freeze very often.

Remove NRSMiner Malware from Your Computer

If you want to remove the NRSMiner virus manually, you can proceed following the manual removal underneath, which are the first two steps. You can use them in combination with the “Analysis” part of the article to delete all files spawned and created by NRSMiner and then block all of the domains it has set up connection with to relay information from your computer.

Another and more recommended removal method is if you follow the latter steps to remove the NRSMiner by scanning our PC with an advanced anti-malware program, which will detect and remove all of the associated files and objects that are related to NRSMiner on your computer. We will have you know that this is the proffered choice by security experts because not only the malware files and objects are deleted, but also your computer will be protected against most malicious files and intrusive objects in the future too.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...