Follow:

 

Win32/Vicenor


Win32/Vicenor is a family of trojans that use your computer without your consent to generate a specific digital currency known as Bitcoins.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

Win32/Vicenor may arrive on your computer through various means, such as through exploits found on websites you visit, or by being downloaded to your computer disguised as a legitimate program. It can also be downloaded onto your computer by other malware families, such as Win32/Phorpiex and Worm:Win32/Skuffbot.

When Vicenor runs on your computer, it commonly installs itself by creating the following registry entry so that its file runs each time you start Windows:

In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WINSXS32"
With data: <trojan executable file name>

Win32/Vicenor has also been observed creating a copy of itself in the %TEMP% folder, and setting the following values in the registry subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure that it runs each time you start Windows:

  • dhfh22
  • jjijj
Payload

Launches Bitcoin-miner

When launched, Win32/Vicenor launches a legitimate Bitcoin mining program in memory, which is commonly available free to download through various websites. A Bitcoin mining program uses your computer to solve a complex algorithm that generates Bitcoins for users involved in the Bitcoin P2P (peer-to-peer) network. Win32/Vicenor passes specific parameters to the Bitcoin miner so that the results calculated are then associated with the attacker's account on a specific mining server.

For more information on Bitcoin currency see https://bitcoin.it/wiki/FAQ.

Vicenor has been known to launch two types of Bitcoin mining programs: the "Ufasoft" miner and "minerd".  Win32/Vicenor has also been observed contacting a number of mining servers, such as the ones listed below:

  • hardair1.com
  • k4912m.com
  • l0za.su
  • revisiondelpc.ru
  • x1x9.asia
  • x3x9.asia
  • z0k3.org

Analysis by Amir Fouda


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.

Prevention


Alert level: Severe
This entry was first published on: May 13, 2013
This entry was updated on: May 27, 2013

This threat is also detected as:
No known aliases