Trojan.NSIS.Miner.a

Technical Details
Payload
Removal instructions

Technical Details

A trojan program. It is a Windows application (PE-EXE file). 244927 bytes. This malware is created using the system to create the installation packages Nullsoft Scriptable Install System.

Installation

When starting to run automatically, the trojan will add a link to its executable file in the system registry startup key each time the system is started up again:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"bcm"="<Original Filename>"

Payload

The trojan will retrieve the file from its body and will save it under the following name:

%AppData%\bcm\bcm.exe

This file is 743936 bytes and is a client program for bitcoin generation. The trojan will launch the created file with certain parameters. The following details will be used as the password and login:

Login: john***88@mail.com
Password: J3***Q0xa

The infected computer will therefore be used by the attacker to generate bitcoins in its own wallet.

Removal instructions

If your computer has not been protected by antivirus software and has been infected by this malware, you will need to take the following steps to delete this:

1. Delete the original program file (its location on the infected computer will depend on how the program got onto the computer).
2. Delete the system registry key (how to work with the registry?):

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "bcm"
   

3. Using Task Manager, end the process:

   bcm.exe

4. Delete the following file:

   %AppData%\bcm\bcm.exe

5. Run a full Kaspersky Antivirus scan of the computer with updated antivirus databases (download trial version).