Categories: Worm

About “Worm:Win32/NeksMiner.A” infection

The Worm:Win32/NeksMiner.A is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What Worm:Win32/NeksMiner.A virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • Reads data out of its own binary image
  • A process created a hidden window
  • Executed a very long command line or script command which may be indicative of chained commands or obfuscation
  • Drops a binary and executes it
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • A ping command was executed with the -n argument possibly to delay analysis
  • Uses Windows utilities for basic functionality
  • Attempts to modify desktop wallpaper
  • Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config
  • Created a process from a suspicious location
  • Installs itself for autorun at Windows startup
  • Attempts to modify proxy settings
  • Appears to use command line obfuscation
  • Creates a copy of itself
  • Uses suspicious command line tools or Windows utilities
  • Uses XCOPY for copying files

How to determine Worm:Win32/NeksMiner.A?



File Info:

name: 938150F91D742C07236F.mlwpath: /opt/CAPEv2/storage/binaries/43a76564e07435ac07f3d3d3ab49885bd0bf8562d0c14a87fc2d536d4c94b62bcrc32: 7F96B570md5: 938150f91d742c07236f8bf8c4823028sha1: 9a375e941eb880f0f8be3d8cef2e149b74df140bsha256: 43a76564e07435ac07f3d3d3ab49885bd0bf8562d0c14a87fc2d536d4c94b62bsha512: 12ad34b4acbe9499e789790f6b7809846f873b148d84dae895f3989901ee2fba2af9734f47670144fb5a16067ca54e44e5f01fc49804b02dc0cb4ceb510e9c2dssdeep: 24576:YavAavAavAavAavAavAavAavAavAavAavAavAavAav:YeAeAeAeAeAeAeAeAeAeAeAeAeAetype: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T16665CF9672E0C1A7E093463195AFDBB6EBB3B811321541133B603FAF3D35283642A757sha3_384: 145b627afa81a443a988c89301a1ac8c794c346dc46a6049f6fef49bdfb783e22df751a4312426c4a674c3872a7c2285ep_bytes: 81ec8001000053555633db57895c2418timestamp: 2009-12-05 22:52:01

Version Info:

0: [No Data]

Worm:Win32/NeksMiner.A also known as:

Lionic Worm.NSIS.BitMin.o!c
Elastic malicious (high confidence)
DrWeb Trojan.BtcMine.2062
MicroWorld-eScan DeepScan:Generic.BitcoinMiner.9.863E68DE
CAT-QuickHeal Trojan.NSIS.Miner.ZZ
ALYac DeepScan:Generic.BitcoinMiner.9.863E68DE
Cylance Unsafe
K7AntiVirus Trojan ( 004da88f1 )
Alibaba Worm:Win32/BitMin.7b8b212b
K7GW Trojan ( 004da88f1 )
Cybereason malicious.91d742
Symantec Trojan.Coinbitminer
ESET-NOD32 NSIS/CoinMiner.T
TrendMicro-HouseCall Coinminer.Win32.MALXMR.AOODAN
Paloalto generic.ml
Kaspersky Worm.NSIS.BitMin.d
BitDefender DeepScan:Generic.BitcoinMiner.9.863E68DE
NANO-Antivirus Trojan.Nsis.Agent.echzfj
Avast Win32:Mykings-U [Trj]
Tencent Nsis.Worm.Bitmin.Hsrx
Ad-Aware DeepScan:Generic.BitcoinMiner.9.863E68DE
Emsisoft DeepScan:Generic.BitcoinMiner.9.863E68DE (B)
Comodo TrojWare.Win32.Agent.evqfq@0
TrendMicro Coinminer.Win32.MALXMR.AOODAN
McAfee-GW-Edition BehavesLike.Win32.Injector.th
FireEye DeepScan:Generic.BitcoinMiner.9.863E68DE
Sophos ML/PE-A + Mal/Miner-E
SentinelOne Static AI – Malicious PE
GData DeepScan:Generic.BitcoinMiner.9.863E68DE
Avira TR/Dropper.Gen
MAX malware (ai score=85)
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Arcabit DeepScan:Generic.BitcoinMiner.9.863E68DE
Microsoft Worm:Win32/NeksMiner.A
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.BitCoinMiner.C931392
McAfee Artemis!938150F91D74
VBA32 Worm.BitMin
Malwarebytes Malware.AI.3412597764
APEX Malicious
Rising Trojan.PhotoMiner/NSIS!1.CB15 (CLASSIC)
Fortinet W32/CryptoMiner.L!tr
Webroot W32.Worm.NSIS.BitMin
AVG Win32:Mykings-U [Trj]
Panda Trj/CI.A
CrowdStrike win/malicious_confidence_100% (W)

How to remove Worm:Win32/NeksMiner.A?

  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.
Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment
Share
Published by
Paul Valéry
Tags: Worm:Win32/NeksMiner.A
2 years ago

Recent Posts

Mal/Swizzor-B removal tips

The Mal/Swizzor-B is considered dangerous by lots of security experts. When this infection is active,…

3 mins ago

Adware.Hotbar.1 information

The Adware.Hotbar.1 is considered dangerous by lots of security experts. When this infection is active,…

8 mins ago

Barys.456554 information

The Barys.456554 is considered dangerous by lots of security experts. When this infection is active,…

23 mins ago

Midie.66060 (file analysis)

The Midie.66060 is considered dangerous by lots of security experts. When this infection is active,…

34 mins ago

Should I remove “Symmi.6017 (B)”?

The Symmi.6017 (B) is considered dangerous by lots of security experts. When this infection is…

48 mins ago

Zusy.540971 removal tips

The Zusy.540971 is considered dangerous by lots of security experts. When this infection is active,…

49 mins ago