This site uses cookies. In order to read how we handle cookies please click here. Click on this message to accept and hide.
Go to top
18.97.9.168.US.SSL

BitCoin Miners and DirectConnect Bots

Imagine, if you will, a new user who just heard about the DirectConnect network and downloaded a NMDC client (may that be DC++, StrongDC++, Greylink++ or other client). The client is started and the user clicks the "Public hublists" button. A new normal user, of course, would join the first few biggest hubs. A few file lists are downloaded and.. what's next? A search. A search for something Google can't find. What if there are no results from all hubs the new user is in ? Well.. there are! Search for any random string and you get at least one result from a bot that has a file named by your searched string which ends with ".exe"!

Image
Image


You can notice that there is no path for the shared executable file. An attempt to get a bot's file list will get your IP blocked and all further connection requests to it rejected. The bot can provide an .exe and that's it. Currently, its IP in all hubs is 198.52.199.120 , and it can be reported to abuse@avantehosting.net and to abuse@centarra.com .

But, the big question is, what does the trojan do?

The trojan is a WinRAR self extracting archive that executes the following install script:

Code
Setup=ncmd.exe exec hide "dep.bat"
TempMode
Silent=1
Overwrite=1

The archive contains the following files:

Code
02/20/2014  10:46 PM           248,980 32.rar
02/20/2014  10:46 PM           239,972 64.rar
02/20/2014  10:47 PM         1,382,636 at.rar
02/17/2014  11:24 PM               969 dep.bat
01/23/2014  07:16 PM                77 ms.vbs
08/11/2013  03:41 PM            44,032 ncmd.exe
02/20/2014  10:48 PM         2,836,268 nv.rar
12/01/2013  02:08 PM           306,776 svchost.exe
               8 File(s)      5,059,710 bytes

All the .rar archives are password protected. The password to extract files from them is 12345 . Each archive contains a coin mining tool (minerd 32/64, cgminer and CudaMiner). By default, they use the mining server from eu.wafflepool.com:3333 and they update the BitCoin wallet 1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 using the password x . Svchost.exe (306776 bytes) is the renamed command line RAR, ncmd.exe (44032 bytes) is the NirSoft command line utility that can hide the console, dep.bat (969 bytes) is the actual installer that extracts files from password protected archives to %APPDATA%\WinUpdate\, and ms.vbs (77 bytes) is a command line message box popup generator.

Code
Set objArgs = WScript.Arguments
messageText = objArgs(0)
MsgBox messageText

Ms.vbs is used by dep.bat, after installing all the svchost.exe's and winlogon.exe's from the password protected archives to show a message box with the following string: "Error loading dll.".

If you are infected with this trojan, your overall system performance is decreased because your system resources are used to generate money for the trojan spreader.

How much money did this trojan make for its owner? You can check its infection stats here: http://wafflepool.com/miner/1KGE8qgbR7mafVtvt2YsS5hYau9YLRXJx4 (in case you need a password, you can use "x").

Do not download anything from these bots and use the +report command to report them to the operators that are online in the hubs you found them!
Posted by Vektor on 2014-02-28 23:18 4 likes

Comments

Date Author Comment
- - Leave your comment
2016-05-17 13:41 Guest Very interesting information. Thanks!
- - Leave your comment