Win32/Kexqoud is a family of trojans that use your computer without your consent to generate a specific digital currency known as Bitcoins.

It makes use of a legitimate program used for mining Bitcoins, using multiple accounts, to generate this currency.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior


Kexquod is often bundled with legitimate applications such as games and productivity tools.

Upon execution, Win32/Kexqoud drops a copy of itself to the %APPDATA% directory with a random file name, such as:


It also drops a legitimate Bitcoin-mining tool in the %TEMP% directory, also with a random file name, such as:


Some variants of Kexqoud make the following changes to the registry, to ensure that the malware runs each time you start your computer:

In order to automatically execute on system start it adds the following registry keys

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<malware file name>"
With data: "%AppData%\<malware filename>.exe"


Runs a Bitcoin-miner

Win32/Kexqoud runs the Bitcoin-mining client in a manner that attributes newly-generated Bitcoins to an account specified by an attacker. This means, that any Bitcoins you generate - inadvertently or purposefully, will be credited to the attacker.

Below is the Bitcoin-mining format used by Kexqoud; multiple user accounts are used to perform this operation:

%TEMP%\<malware filename>.exe -g no -o http:// <user name> : <password> @ <bitcoin server> : <port>

The mining client is configured to run with high CPU utilization, which may significantly slow the performance of your computer.

Analysis by Zarestel Ferrer


There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Alert level: Severe
This entry was first published on: May 09, 2013
This entry was updated on: May 27, 2013

This threat is also detected as:
No known aliases