Threat Descriptions

Trojan.VBRan.Gen

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan.VBRan.Gen.1

Summary

Trojan.VBRan.Gen.1 identifies obfuscated files that are used to install and run a Bitcoin mining program. Once installed and active, the mining program can silently exploit the machine's computational resources to generate the popular digital cryptocurrency, for the attacker's benefit.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The following details are based on analysis of the sample, SHA1:67c7fb3f51b352061f4b39cf0cd29e5b89d764ac.

Once present on a system, the sample drops the following files to the %temp%\[randomname].tmp folder:

  • Start.bat
  • zdriver32.exe - also detected as Trojan.Generic.11265128 (SHA1: 95bd3755c88a3afd9950ec7ac1857d0913e98390)
  • Driver.exe - also detected as Trojan.Generic.11377532 (SHA1: e77008d0969d98d9eeb8a521c6c697ca38ac05de)
  • Minerd.exe - also detected as Application.BitCoinMiner.BK (SHA1: 40a903c091336a8108685bf891d5558863346d5f)
  • 7za.exe.gz
  • sys32.7z
  • gzip.exe

The dropped start.bat file is executed, and first uses taskill.exe to try and kill any old instances of the following files that may be present on the machine: driver.exe, zdriver32.exe, minerd.exe, minerd_qv2.2_sse4.exe, minerd_w32_sse4.exe and gzip.exe.

Trojan.VBRan's start.bat deleting old instances

The start.bat file also copies the gzip.exe, sys32.7z and 7za.exe.gz files to the %windir%\system folder, and the zdriver32.exe to the %windir% folder. The start.bat file is then deleted from the system.

Next, the dropped zdriver32.exe file is executed. This file drops batch files in the %temp%/ztmp folder, which then:

  • Executes gzip.exe file, which then extracts the 7za.exe program from the zipped 7za.exe.gz file
  • Executes the extracted 7za.exe file, then and uses a password found in the batch file to extract the driver.exe file from the zipped sys32.7z file

Trojan.VBRan's batch files at work

Once extracted, the batch file moves the driver.exe file to %StartupFolderXPEN%, %StartupFolder%, %WINDIR, then executes it.

The executed driver.exe file drops yet another batch file, also in the %temp%/ztmp folder, which then executes the minerd.exe file. This is the actual Bitcoin mining program, which is executed with the parameter "o"; login details for the program are hardcoded in the minerd.exe file.