A combination of ZeroAccess rootkit and Trojan.Dropper.Bcminer goes viral, at least in our state. Our friend, who has a small computer repair shop, told us he had to work overtime in order to repair all the computers that got infected with apparently the same nasty virus. This makes us wonder whether cyber crooks can target very small areas or was it just a coincidence? Too bad he didn't provide any logs from those infected machines.
We believe it could have been a legitimate self-hosted WordPress site or multiple sites hosting malware. That would make sense since all victims live in the same area and share the same interests, mostly. Besides, recently some antivirus companies reported that they have spotted a major malware campaign spread via infected WordPress websites using hidden iframes to victimize computer users. This approach is not new but still rather effective due to hundreds of thousands websites, especially self-hosted blogs, that are not being updated by their owners regularly. Malware authors can easily hide iframes and load malicious code from websites controlled by criminals; we usually call it a drive-by attack.
You can learn more about ZeroAccess rootkit here. Trojan.Dropper.Bcminer was something new to us and since our friend sent a sample of this infection to us, we decided to run it in our test environment. So, we ran the malicious file, rebooted the computer and yippee, we had a perfectly working combination of a nasty rootkit and Trojan.Dropper.Bcminer. Later we found out that a search results redirect module was also installed on our computer. What is more, Trojan.Dropper.Bcminer downloaded additional files from remote web servers which were necessary to start BitCoin mining. To learn more about BitCoins and how criminals use this legitimate service to earn money, please read this article about RiskTool.Win32.BitCoinMiner. The malicious files very requested from web sever closely related to BlackHole exploit kit. It wasn't surprising because this exploit kit is probably the most popular among cyber crooks right now.
We have to admit, that such malware combination makes sense. Cyber crooks earn money by redirecting victims to spam websites while they use their computers. When victims are away from their computers, cyber crooks use bitcoin mining modules to earn money as well. So, theoretically, they can earn money all day long.
Usually, our friend uses free malware removal tools to clean infected computers. His favorite is Malwarebytes' Antimalware. But this time, he was rather disappointed with this software because it just couldn't properly remove the infection.
As you can see in the image below, Malwarebytes finds malicious files and tries to remove them (reboot is required).
However, when the infected computer came back on, the remnants of this infection downloaded core malware components from web severs controlled by criminals and attempted to install Trojan.Bitminer and other malicious files once again. So, the Trojan.Dropper.Bcminer keeps coming back.
Running a quick system scan with other anti-malware tools clearly showed that Malwarebytes' couldn't remove malicious files from the infected computer.
Of course, Malwarebytes is a great tool, we use it very often but we do not rely on this single too only, you guys shouldn't either. In this case, Spyware Doctor did a great job and removed all the malicious files. To remove Trojan.Dropper.Bcminer and associated malware from your computer, please follow the removal instructions below. If you have any questions or valuable remarks, please leave a comment below. Good luck and be safe online!
Trojan.Dropper.Bcminer removal instructions:
1. First of all, download TDSSKiller and run a system scan. This great utility will find and remove rootkits. Reboot your computer if required.
2. Then, download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
Tell your friends: