W32/BitCoinMiner.D(hosted in United States Seattle Amazon.com Inc.)

Resolved : [mining.eligius.st] To [23.21.225.111]

Control Panel:
http://mining.eligius.st

New Opened files which were contained within Memory
File $Extend$ObjId
File Documents and SettingsAdministratorApplication Data
File Documents and SettingsAdministratorLocal SettingsApplication DataMicrosoftPortable Devices
File System Volume Information_restore{307E7B41-0455-430D-B7AD-0176BCF9FE0E}RP21change.log
File System Volume Informationtracking.log
File WINDOWSTempPerflib_Perfdata_57c.dat
File trkwks

Potentially Malicious Changes in NTUSER.DAT File
(This output only contains plain text entries, which were made to the Registry Hive.)
“adobeupdate”=””C:Documents and SettingsAdministratorApplication Data3 2l3.lnk””

“adobeupdater”=””C:Documents and SettingsAdministratorApplication Data3 2rundll32.exe””

“C:Documents and SettingsAdministratorApplication Data3 2bat.bat”=”bat”

“C:Documents and SettingsAdministratorApplication Data3 2j.exe”=”j”

“C:Documents and SettingsAdministratorApplication Data3 2svchost.exe”=”svchost”

“C:Documents and SettingsAdministratorApplication Data3 2rundll32.exe”=”rundll32”

[NTUSERSoftwareWinRAR SFX]

“C%%Documents and Settings%Administrator%Application Data”=”C:Documents and SettingsAdministratorApplication Data”

This is from I_Post_Your_Info:
eligius.st uses the bicon address as the pool username, so you can track the hashrate and transactions using the info from the config
http://eligius.st/~artefact2/7/1FweLVpvgdF84QrhVtAvUVkNM6A4qkNvhz
http://blockchain.info/address/1FweLVpvgdF84QrhVtAvUVkNM6A4qkNvhz

Live Recent Rounds:
http://eligius.st/~artefact2/
http://mining.eligius.st:8337 -u 1FweLVpvgdF84QrhVtAvUVkNM6A4qkNvhz -p x
ra.mining.eligius.st:8337

Sample

hosting infos:
http://whois.domaintools.com/23.21.225.111

Categories: Uncategorized

Previous posthttp://sonic4me.com/ (Andromeda http malware hosted in Amsterdam worldstream.nl)

Next postcuzcoxxx.ru(ngrBot hosted in United States Walnut Psychz Networks)