Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Troubleshooting persistent WORM_COINMINER detection

    • Updated:
    • 19 Oct 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

WORM_COINMINER is a cryptojacker. It uses the target’s computing resources (CPU/GPU) to mine cryptocurrency. It can easily spread from one machine to another by means of:

  • Dropping a copy of itself on the shared folder (%Application Data%\<user name>) that it creates
  • Dropping a copy of itself on all physical and removable drives

Some variants such as WORM_COINMINE.B have the ability to perform dictionary attack on password protected shares. Common file names of this malware, but not limited to the following, are:

  • IMG001.exe
  • DOC001.exe

These are the most common variants detected by Trend Micro:

Details
Public

Follow the general guidelines in removing persistent malware

Follow the recommendations on removing persistent malware in OfficeScan.

Configure Scan Settings for Large Compressed Files

  1. Log in to the OfficeScan management console.
  2. Go to Agents > Global Agent Settings > Scan Settings for Large Compressed Files.
  3. Modify the default value for Real-time Scan from 2MB to 5MB.

    compressed

 
There are different variants of WORM_COINMINER and some are larger than 2MB. On certain scenarios, the default value prevents real-time scan from detecting the coinminer. Temporarily change the default value until the infection is cleaned.

Enable scanning of network drive and removable storage devices

  1. Log in to the OfficeScan management console.
  2. Go to Agents > Agent Management.
  3. In the Agent Tree, select the OfficeScan Server/Domain/Computer.
  4. Go to Settings > Scan Settings > Real-time Scan Settings.
  5. Put a check on “Scan network drive” and “Scan all files in removable storage devices after plugging in”.

    scansettings

  6. Click Save.

What to do if the issue still persists

  1. Refer to the KB article on generating and exporting logs in OfficeScan, and export the following logs (all machines, past 30-days):
    • Virus Logs
    • Agent Listing
  2. Submit the logs to Trend Micro Technical Support for analysis.
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1121322
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.