trojan.dropper.bcminer

mikeo · 21 Jul 2012 at 23:18

Hi folks

trojan.dropper.bcminer

Has anyone else picked up this little nasty?

Just started this evening. Suddenly Firefox starts re-directing me and odd pop ups!!!! :eek:

MSE and Windows firewall disabled by it by the look of it. So I'm assuming it's pretty sophisticated. GOOGLE comes up with a few occurrences. Not easy to remove though!!!. Malwarebytes Antimalware detect it, but can't remove it.

Luckily I have a full disk backup of my system disk from some 4 days ago. Restored this and it "appears" not to be there. Lets hope it just appeared in the last couple of days.

Full MSE and Malwarebytes Antimalware scan come up clean. Tried Kaspersky TDSSKILLER and that comes up clean as well. Wonder if it's worth running anything else to check??? Any suggestions???

As to where it's come from, God only knows. I'm usually so carefull. Only suggestion that I can find, is that it's related to a false JAVA, or ADOBE update. And lets be honest, I think most people just "click through" these. Can't remember one over the last couple of days though.

Worried I am.

PS. Ran O/L ESNET scanner and besides one false +ve, that looks clean as well.
Still can't understand where this came from!?!?!

theheyes · 22 Jul 2012 at 10:12

Do you run Java and Flash player? Are they up to date?

PapaLazaru · 22 Jul 2012 at 10:47

I have always gone to the same place for advice on such matters, though luckily they are very rare. I had a quick check if it had come up and it has only yesterday. Google trojan.dropper.bcminer and click the Bleeping Computer link a few down from the top.

mikeo · 22 Jul 2012 at 12:41

theheyes said:
Do you run Java and Flash player? Are they up to date?

Yes and yes.

I'll check their update status though.

mikeo · 22 Jul 2012 at 12:47

PapaLazaru said:
I have always gone to the same place for advice on such matters, though luckily they are very rare. I had a quick check if it had come up and it has only yesterday. Google trojan.dropper.bcminer and click the Bleeping Computer link a few down from the top.

Hi... thanks for that. Already seen the same link and it's a swine to get rid of.

I've got my fingers crossed that recovering back to an Acronis True Image of my boot drive (taken last Wednesday) will have sorted it. On the principle that if I wasn't infected last Wednesday, now that I've recovered that image, I shouldn't be infected now.

A lot depends if this is one of those Virus's that can hide for a while and then pop up again. Nothing I've run since recovering the image of the drive seems to detect it. But has it "really" gone????

Maybe time to dump MSE and look at a paid Anti-virus solution. Though obviously aware that nothing is infallible (especially from "human error").

Used Kaspersky for many years but it seemed to be following in the footsteps of Norton and becoming serious bloatware.

Life.....

Thanks for the replies folks.

KIA · 22 Jul 2012 at 12:58

The solution is to keep software patched and not to do anything stupid. A paid A/V product isn't going to do anything amazing.

mikeo · 22 Jul 2012 at 13:09

KIA said:
The solution is to keep software patched and not to do anything stupid. A paid A/V product isn't going to do anything amazing.

Indeed

Not aware of doing anything "stupid" that's what I'm slightly worried about.
I don't go to dubious WEB sites, click on links in Emails, install things I don't trust etc.

Been a computer programmer for 30+ years, so sort of know the ropes.
Only my 2nd "infection" in the best part of 20 years of PC use. It's a good one though (ha ha).

PS. Neither JAVA, or Flash Player were the latest versions. Which surprises me, as they are both set to notify me of any updates. I've now updated them direct from the manufacturers WEB site. TBC as they say.

KIA · 22 Jul 2012 at 13:25

mikeo said:
PS. Neither JAVA, or Flash Player were the latest versions.

Game over.

Many top 1000 sites are hacked on a daily basis and modified to serve exploits.

You should disable the Java browser plug-in and temporarily enable when you need it. Set Flash to auto-update. The same thing goes for any other plug-ins, extensions PDF readers, operating system, etc.

There's also click to play plug-in mode, which is available in Chrome and Firefox.

Chrome: Settings > Advanced settings > Content settings > Plug-ins > Click to play
Firefox: about:config > Enable plugins.click_to_play flag

mikeo · 22 Jul 2012 at 13:52

KIA

Yep.. I was starting to think from other posts, that JAVA might have been my problem. I'll take the necessary steps to lock it down. Thanks..

Lets hope this infection happened in the last couple of days, so my recovery back to last Wednesday should have got rid of it. MBAM certainly doesn't find anything now.

Question... worth setting Java control panel to check daily?

theheyes · 22 Jul 2012 at 14:00

tbh if you don't use Java just uninstall it, it's a liability. Same for Adobe Reader.

I use Chrome for its automatic Flash updates, and also as a PDF reader. The fact that it (the browser) updates itself regularly is a big help. Click to run plugins as suggested is another step in the right direction and I also disable scripting.

Azuse05 · 22 Jul 2012 at 14:15

FF checks for update every 24 hours, flash (assuming you enabled auto update) runs a scheduled update check daily with 1 hour increments. Java only checks every Sunday morning, which is a vast improvement over the once per month check the previous version made - which is why it's used to open back doors in flash and almost everything else repeatedly.

Anyway, Malwarebytes will remove almost anything in safe-mode. Just takes ages.

People using Chrome because it updates flash is just ignorance these days.

mikeo · 22 Jul 2012 at 14:55

Azuse05 said:
FF checks for update every 24 hours, flash (assuming you enabled auto update) runs a scheduled update check daily with 1 hour increments. Java only checks every Sunday morning, which is a vast improvement over the once per month check the previous version made - which is why it's used to open back doors in flash and almost everything else repeatedly.

Anyway, Malwarebytes will remove almost anything in safe-mode. Just takes ages.

People using Chrome because it updates flash is just ignorance these days.

Thanks for that. Java control panel seems to give a "daily option" but that doesn't appear to work, just defaults back to the once a week update.

I think that I've just maybe got a bit complacent regarding O/L security over the years. Need to maybe pay more attention. Once bitten twice shy, as they say.

Now I know that a more comprehensive AV product (EG Bitdefender) wont protect me from being a knob, but wonder if it might still be worth considering an update. What does anyone think? (currently MSE and Windows firewall and once a week run of MBAM).

theheyes · 22 Jul 2012 at 15:48

Azuse05 said:
People using Chrome because it updates flash is just ignorance these days.

Ignorant of what exactly?

theheyes · 22 Jul 2012 at 15:54

mikeo said:
Thanks for that. Java control panel seems to give a "daily option" but that doesn't appear to work, just defaults back to the once a week update.

Java's auto updater is fickle, I almost always end up going to the Jave website and do a straight download of the newest version.

mikeo · 22 Jul 2012 at 18:25

KIA

Thanks for the tip re "Firefox click-to-play". At least this gives me some level of control and I can choose what runs.

theheyes · 22 Jul 2012 at 19:03

You might want to have a look at NoScript or similar alternative as well.

mikeo · 22 Jul 2012 at 19:32

theheyes said:
You might want to have a look at NoScript or similar alternative as well.

I'm assuming that I can run this as well as the click-to-play option in Firefox?

If so, I think that this is getting installed as well.

Back in the day... I remember when "safe browsing" meant just not clicking on things... looks like you need now to put a bit more thought into it. Just goes to show that you can teach an old dog new tricks (that's me that is

).

theheyes · 22 Jul 2012 at 20:13

I'm not a Firefox user so I couldn't give you the specifics, but I think NoScript provides the same functionality as the click to play option (and more).

Much like yourself I had a "safe sites/no arbitrarily clicking on links" approach, and for the most part it works. But you have to remember even the largest sites are pulling in content from other domains and could themselves get hacked. I almost got burned with bad adverts served up on Facebook and Ars Technica (trusted sites?) so decided I needed to step up the security a little.

KIA · 22 Jul 2012 at 20:22

mikeo said:
Thanks for that. Java control panel seems to give a "daily option" but that doesn't appear to work, just defaults back to the once a week update.

You probably have UAC enabled. You need to do the following:

Control Panel > Right-click Java > Create Shortcut. Open an elevated command-prompt by right-clicking on cmd.exe and run as administrator. Navigate to and open the short-cut which should be on the desktop. Make the change.

mikeo · 23 Jul 2012 at 15:48

KIA

Thanks for that. But I have UAC switched off (I find it to intrusive), as up to now I would have considered that I knew what I was doing

().

Can't find anyway to set the "daily option" for JAVA updates. So looks like I'll have to leave it as the once a week auto update.

I've updated JAVA and Flash player to the latest versions and set both to auto update (not sure why they were not in the first place). I've implemented Firefox click-to-play, this at least gives you some control over what is run. I've had a look at NOSCRIPT but again I think this will be too intrusive. I've looked at other security ad-ons for Firefox and installed WOT (while I accept that the rating can be skewed, at least it gives you a starter for 10).

Think I'll see how it goes from here. Though it looks like restoring the Acronis backup has got back to a point prior to the infection.

Moral here... keep your eye on the (security) ball.

Thanks again everyone for your comments.