English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.NSIS.Miner.a

Detected Jun 28 2011 03:55 GMT
Released Jun 28 2011 06:04 GMT
Published Sep 08 2011 13:21 GMT

Technical Details
Payload
Removal instructions

Technical Details

A trojan program. It is a Windows application (PE-EXE file). 244927 bytes. This malware is created using the system to create the installation packages Nullsoft Scriptable Install System.

Installation

When starting to run automatically, the trojan will add a link to its executable file in the system registry startup key each time the system is started up again:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bcm"="<Original Filename>"


Payload

The trojan will retrieve the file from its body and will save it under the following name:

%AppData%\bcm\bcm.exe
This file is 743936 bytes and is a client program for bitcoin generation. The trojan will launch the created file with certain parameters. The following details will be used as the password and login:
Login: john***88@mail.com
Password: J3***Q0xa
The infected computer will therefore be used by the attacker to generate bitcoins in its own wallet.


Removal instructions

If your computer has not been protected by antivirus software and has been infected by this malware, you will need to take the following steps to delete this:

  1. Delete the original program file (its location on the infected computer will depend on how the program got onto the computer).
  2. Delete the system registry key (how to work with the registry?):
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "bcm"
    
  3. Using Task Manager, end the process:
    bcm.exe
  4. Delete the following file:
    %AppData%\bcm\bcm.exe
  5. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.