Mahesh Sudula

Level 12
Cybercriminals used different methods to distribute malicious software. Amongst these was a standard update mechanism. Trojan.Encoder.12544 aka Petya, Petya.A, ExPetya and WannaCry-2 and BackDoor.Dande used such mechanism. In this article, we are going to focus on another similar incident thoroughly examined by Doctor Web specialists.

One of our users informed our technical support that Dr.Web Anti-virus constantly detected and deleted an application for mining cryptocurrency. An examination of the Anti-virus logs showed that the miner hid in the temporary folder on the infected computer. In addition, the application attempted to connect with an IP address corresponding to the website of the Astrum Soft company, the manufacturer of “Kompiuternyi Zal”. This software is designed to automate computer clubs and cybercafes.

Officially, a function for mining cryptocurrency exists in the application. Users can enable it when computers are idle.

Nevertheless, further research showed that a miner which bothered the user and not the “Kompiuternyi Zal” application had been hidden. The miner was added to the Dr.Web virus databases as Trojan.BtcMine.2869. This Trojan was automatically downloaded from the servers of the Astrum Soft company via the update mechanism of the “Kompiuternyi Zal” program. The Trojan then installed itself into the system.

Read more:

Doctor Web warns of a miner Trojan downloaded instead of a program update
Last edited by a moderator: