Trojan.Madominer Coin Miner Worm - How to Remove It from Windows

Trojan.Madominer Coin Miner Worm – How to Remove It from Windows

This article has been created in order to explain what is the Trojan.Madominer virus and how you can remove this miner worm completely.

A new Trojan that is also a worm infection has been detected by security researchers at Symantec. The Trojan’s primary purpose is to convince victims to install itself by exploiting vulnerabilities in Windows and then use this to install a coin miner tht connects to multiple mining servers to mine the infected computers for cryptocurrencies. In the events that you suspect an infection by the Trojan.Madominer infection, we recommend that you read the following article to learn more about it plus how you can remove it from your PC thoroughly.

Threat Summary

TypeTrojan and Worm
Short DescriptionSlithers on your computer and runs a process which connects to miner servers and begins to mine for cryptocurrencies.=.
SymptomsYour PC might experience a 100% CPU and GPU usage, overheating and extreme slowing down.
Distribution MethodMalicious executable files uploaded online, malicious e-mail spam attachments.
Detection Tool See If Your System Has Been Affected by Trojan.Madominer


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Trojan.Madominer.

Trojan.Madominer – Distribution

In order for the Trojan.Madominer to be widespread, the infection may be triggered via a remote host as a result of exploiting the three following vulnerabilities:

  • Microsoft Windows Remote Buffer Overflow Vulnerability (CVE-2017-9073)
  • Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0143)
  • Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0146)

These vulnerabilities might be embedded into a malicious e-mail attachment or even a malicious JavaScript that is uploaded on a URL. The most often methods of infection with Trojans is to take advantage of online communication platforms, like Messenger, Google Drive, Gmail, Skype and many others and use them to send a file, that is often masked as a legitimate docment, like:

  • A picture of your friend.
  • An online e-mail attachment that pretends to be an invoice or a receipt.
  • A password recovery protocol.
  • Important banking statement.

Trojan.Madominer Coin Miner Virus – Analysis

When the Trojan.Madominer has infected a certain computer, the virus creates the following folders:

→ %System%\Tasks\GooglePinginConfigs

Then, the Trojan.Madominer drops it’s malicious files on the victim PC and they could have the following names and locations:

→ %ProgramFiles%\stormii\server.exe
%SystemDrive%\[PATH TO MALWARE]\[MALWARE ROOT]\tem.vbs
%System Drive%\IIS\CPUInfo.exe
%System Drive%\IIS\Doublepulsar-1.3.1.exe
%System Drive%\IIS\Esteemaudit-2.1.0.exe
%System Drive%\IIS\Esteemaudittouch-2.1.0.exe
%System Drive%\IIS\Eternalblue-2.2.0.exe
%System Drive%\IIS\Eternalchampion-2.0.0.exe
%System Drive%\IIS\free.bat
%System Drive%\IIS\s.bat

But the virus does not stop there as it creates a lot of tasks and registries to kill different executables that belong to Windows and to run exectuables that perform the mining process as an administrator without them being bothered. Symantec report the following registy values to be created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\”debugger” = “taskkill.exe”

Next, the Madominer Trojan could download additional miner files from several suspicious domains, that end in .com:3 and .info:3. The virus also remotely connects to 8 different servers that end in .info which help it relay the cryptocurrency mining information and begin the mining process.

The malware also has a worm function enabled, meaning that it could propagate to other PCs in the same network and could possibly create copies of it’s infection files to be spread via USB and other removable drives connected to the infected computer in question.

If you suspect that the Madominer Trojan is installed on your PC, do not underestimate it and remove it ASAP. If the Trojan stays for long time on your PC, it may do a lot more than just mine for cryptocurrencies, like Monero and BitCoin at your computer resources’ expense. The virus may also perform spyware activities, such as:

  • Obtain your keystrokes via a keylogger program.
  • Steal different types of files and folders directly from your drive.
  • Take screenshots from your desktop.
  • Steal passwords.
  • Steal camera and audio communication and record it.

Remove Madominer Trojan Completely from Your Computer

If you want to remove the Madominer malware from your PC effectively, we suggest that you follow the removal instructions underneath this article. They have been created with the primary purpose to help you delete the malicious files of the virus effectively from your computer either manually or automatically. If manual removal does not seem to work against this worm, most experts do advise to download and scan your PC by using an advanced anti-malware program, whose main purpose is to detect and fully erase all the malicious files and objects, belonging to the Trojan.Madominer infection.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share