Trojan.Madominer Coin Miner Worm - How to Remove It from Windows
THREAT REMOVAL

Trojan.Madominer Coin Miner Worm – How to Remove It from Windows

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Trojan.Madominer and other threats.
Threats such as Trojan.Madominer may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created in order to explain what is the Trojan.Madominer virus and how you can remove this miner worm completely.

A new Trojan that is also a worm infection has been detected by security researchers at Symantec. The Trojan’s primary purpose is to convince victims to install itself by exploiting vulnerabilities in Windows and then use this to install a coin miner tht connects to multiple mining servers to mine the infected computers for cryptocurrencies. In the events that you suspect an infection by the Trojan.Madominer infection, we recommend that you read the following article to learn more about it plus how you can remove it from your PC thoroughly.

Threat Summary

NameTrojan.Madominer
TypeTrojan and Worm
Short DescriptionSlithers on your computer and runs a process which connects to miner servers and begins to mine for cryptocurrencies.=.
SymptomsYour PC might experience a 100% CPU and GPU usage, overheating and extreme slowing down.
Distribution MethodMalicious executable files uploaded online, malicious e-mail spam attachments.
Detection Tool See If Your System Has Been Affected by Trojan.Madominer

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Trojan.Madominer.

Trojan.Madominer – Distribution

In order for the Trojan.Madominer to be widespread, the infection may be triggered via a remote host as a result of exploiting the three following vulnerabilities:

  • Microsoft Windows Remote Buffer Overflow Vulnerability (CVE-2017-9073)
  • Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0143)
  • Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0146)

These vulnerabilities might be embedded into a malicious e-mail attachment or even a malicious JavaScript that is uploaded on a URL. The most often methods of infection with Trojans is to take advantage of online communication platforms, like Messenger, Google Drive, Gmail, Skype and many others and use them to send a file, that is often masked as a legitimate docment, like:

  • A picture of your friend.
  • An online e-mail attachment that pretends to be an invoice or a receipt.
  • A password recovery protocol.
  • Important banking statement.

Trojan.Madominer Coin Miner Virus – Analysis

When the Trojan.Madominer has infected a certain computer, the virus creates the following folders:

→ %System%\Tasks\GooglePinginConfigs
%System%\Tasks\RavTask

Then, the Trojan.Madominer drops it’s malicious files on the victim PC and they could have the following names and locations:

→ %ProgramFiles%\stormii\server.exe
%SystemDrive%\[PATH TO MALWARE]\[MALWARE ROOT]\tem.vbs
%System Drive%\IIS\CPUInfo.exe
%System Drive%\IIS\Doublepulsar-1.3.1.exe
%System Drive%\IIS\Esteemaudit-2.1.0.exe
%System Drive%\IIS\Esteemaudittouch-2.1.0.exe
%System Drive%\IIS\Eternalblue-2.2.0.exe
%System Drive%\IIS\Eternalchampion-2.0.0.exe
%System Drive%\IIS\free.bat
%System Drive%\IIS\s.bat

But the virus does not stop there as it creates a lot of tasks and registries to kill different executables that belong to Windows and to run exectuables that perform the mining process as an administrator without them being bothered. Symantec report the following registy values to be created:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\1.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systmss.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss..exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanol.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostr.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wax.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauc1t.exe\”debugger” = “taskkill.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ystmss.exe\”debugger” = “taskkill.exe”

Next, the Madominer Trojan could download additional miner files from several suspicious domains, that end in .com:3 and .info:3. The virus also remotely connects to 8 different servers that end in .info which help it relay the cryptocurrency mining information and begin the mining process.

The malware also has a worm function enabled, meaning that it could propagate to other PCs in the same network and could possibly create copies of it’s infection files to be spread via USB and other removable drives connected to the infected computer in question.

If you suspect that the Madominer Trojan is installed on your PC, do not underestimate it and remove it ASAP. If the Trojan stays for long time on your PC, it may do a lot more than just mine for cryptocurrencies, like Monero and BitCoin at your computer resources’ expense. The virus may also perform spyware activities, such as:

  • Obtain your keystrokes via a keylogger program.
  • Steal different types of files and folders directly from your drive.
  • Take screenshots from your desktop.
  • Steal passwords.
  • Steal camera and audio communication and record it.

Remove Madominer Trojan Completely from Your Computer

If you want to remove the Madominer malware from your PC effectively, we suggest that you follow the removal instructions underneath this article. They have been created with the primary purpose to help you delete the malicious files of the virus effectively from your computer either manually or automatically. If manual removal does not seem to work against this worm, most experts do advise to download and scan your PC by using an advanced anti-malware program, whose main purpose is to detect and fully erase all the malicious files and objects, belonging to the Trojan.Madominer infection.

Note! Your computer system may be affected by Trojan.Madominer and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Trojan.Madominer.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Trojan.Madominer follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Trojan.Madominer files and objects
2. Find files created by Trojan.Madominer on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...