Summary
WORM_COINMINER is a cryptojacker. It uses the target’s computing resources (CPU/GPU) to mine cryptocurrency. It can easily spread from one machine to another by means of:
- Dropping a copy of itself on the shared folder (%Application Data%\<user name>) that it creates
- Dropping a copy of itself on all physical and removable drives
Some variants such as WORM_COINMINE.B have the ability to perform dictionary attack on password protected shares. Common file names of this malware, but not limited to the following, are:
- IMG001.exe
- DOC001.exe
These are the most common variants detected by Trend Micro:
Details
Follow the general guidelines in removing persistent malware
Follow the recommendations on removing persistent malware in OfficeScan.
Configure Scan Settings for Large Compressed Files
- Log in to the OfficeScan management console.
- Go to Agents > Global Agent Settings > Scan Settings for Large Compressed Files.
- Modify the default value for Real-time Scan from 2MB to 5MB.
There are different variants of WORM_COINMINER and some are larger than 2MB. On certain scenarios, the default value prevents real-time scan from detecting the coinminer. Temporarily change the default value until the infection is cleaned.
Enable scanning of network drive and removable storage devices
- Log in to the OfficeScan management console.
- Go to Agents > Agent Management.
- In the Agent Tree, select the OfficeScan Server/Domain/Computer.
- Go to Settings > Scan Settings > Real-time Scan Settings.
- Put a check on “Scan network drive” and “Scan all files in removable storage devices after plugging in”.
- Click Save.
What to do if the issue still persists
- Refer to the KB article on generating and exporting logs in OfficeScan, and export the following logs (all machines, past 30-days):
- Virus Logs
- Agent Listing
- Submit the logs to Trend Micro Technical Support for analysis.
