Follow:

 

Trojan:Win32/Vicenor.gen!B


Microsoft security software detects and removes this threat.

This threat can use your PC to generate or "mine" Bitcoins, a type of digital currency. This can severely affect the performance of your PC, making it seem to run slowly.

It can be installed on your PC when you visit a malicious or hacked webpage. You might have also downloaded it thinking it was something else, such as a picture or a legitimate program.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Vicenor.B!gen might be downloaded onto your PC via a drive-by download through an exploit, or you might have downloaded it yourself thinking it was something else, like a picture or legitimate program.

We have seen the trojan using the following file names:

  • 296291521.gif
  • adobe_restart[1].exe
  • btc[1].exe
  • image19.jpg.pif
  • www2d.gif
  • yif81909.png

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WINSXS32"
With data: <file name and location of the trojan>
Sets value: "mService"
With data: <file name and location of the trojan>

Payload

Uses your PC to mine Bitcoins

The trojan contains and runs a Bitcoin mining program, which connects to a Bitcoin server and uses your PCs power to generate Bitcoins. This can severely affect the doance of your PC, making it seem to run slowly.

We have seen the program connect to the following servers:

  • keep.<removed>.biz:2142/ using ID "bigbob0000001@<removed>.com" and password "password"
  • eacfcf.<removed>.com/ using ID "niggas" and password "password"
  • pool.<removed>.asia:8332/ using ID "redem_check" and password "orneliassssssssss"
  • xxxxxxxxxxxxxxx.<removed>.su:1942/ using ID "tyldix_1" and password "password"

The mining program is run in memory - this means that the trojan does not install the program onto your PC, rather it just runs it.

Additional information

Trojan:Win32/Vicenor.B!gen creates a mutex, possibly as an infection marker to prevent multiple instances running on your PC. The mutex name varies between installations of the trojan; we have observed the following mutexes:

  • uxJLpe1m
  • whatwhstinthebdtt234905429090
  • w8a4w2s3i4t5e6dgtr34d03429394

Analysis by Jeong Mun


Symptoms

The following could indicate that you have this threat on your PC:

  • Applications run very slowly or take a very long time to load
  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Value: "WINSXS32"
    Value: "mService"

Prevention


Alert level: Severe
First detected by definition: 1.121.1421.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 13, 2012
This entry was first published on: Mar 13, 2012
This entry was updated on: Apr 16, 2014

This threat is also detected as:
  • Bitcoin Miner (Sophos)
  • Dropper/Win32.Injector (AhnLab)
  • TR/Zusy.5856.1 (Avira)
  • Trojan.BtcMine.70 (Dr.Web)
  • Trojan.Dropper.USW (BitDefender)
  • Trojan-Dropper.Win32.Injector.geyi (Kaspersky)
  • Virus.Win32.IRCBot.BSX (Ikarus)
  • W32/Injector.AW!tr (other)
  • W32/Trojan2.NUQQ (Command)
  • Win32/CoinMiner.AW (ESET)