This threat can be downloaded as part of a TorziExpress installer using a file name like file.exe.
contains configuration data that lets it download torrent files, like cracked software, game cheats, and video files. Some of the files it downloads might be clean, but other components might belong to the Deminnix family.
For example, one of the TorziExpress applications that installs Win32/Deminnix might look like this:
The installer drops files in a folder it creates in %ProgramFiles%, for instance:
Some of the files it's been known to install are:
This threat mines bitcoin on your PC by dropping a non-malicious bitcoin miner, which is freely available online. It runs using another of its components, like desktopsearchservice.exe or SearchIndexer.exe.
The bitcoin miner is launched silently and uses your PC's system resources to do complex calculations. It sends the results to a mining server where the malware author has an account. We've seen Deminnix variants contact the following mining servers, many of which are legitimate and used by other users participating in the bitcoin mining system:
Changes browser home page
Certain variants of Win32/Deminnix, such as Trojan:Win32/Deminnix.A, change the home page of the following browsers:
It changes the default home page to fuxio.net.
Analysis by Amir Fouda