Installation
Win32/Vicenor may arrive on your computer through various means, such as through exploits found on websites you visit, or by being downloaded to your computer disguised as a legitimate program. It can also be downloaded onto your computer by other malware families, such as Win32/Phorpiex and Worm:Win32/Skuffbot.
When Vicenor runs on your computer, it commonly installs itself by creating the following registry entry so that its file runs each time you start Windows:
In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "WINSXS32"
With data: <trojan executable file name>
Win32/Vicenor has also been observed creating a copy of itself in the %TEMP% folder, and setting the following values in the registry subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure that it runs each time you start Windows:
Payload
Launches Bitcoin-miner
When launched, Win32/Vicenor launches a legitimate Bitcoin mining program in memory, which is commonly available free to download through various websites. A Bitcoin mining program uses your computer to solve a complex algorithm that generates Bitcoins for users involved in the Bitcoin P2P (peer-to-peer) network. Win32/Vicenor passes specific parameters to the Bitcoin miner so that the results calculated are then associated with the attacker's account on a specific mining server.
For more information on Bitcoin currency see https://bitcoin.it/wiki/FAQ.
Vicenor has been known to launch two types of Bitcoin mining programs: the "Ufasoft" miner and "minerd". Win32/Vicenor has also been observed contacting a number of mining servers, such as the ones listed below:
- hardair1.com
- k4912m.com
- l0za.su
- revisiondelpc.ru
- x1x9.asia
- x3x9.asia
- z0k3.org
Analysis by Amir Fouda
