coin miner
Issue #1006
invalid
I recently discovered some DNS requests on my system that went to stratum.ravenminer.com. Since I don't use any coin miners on my PC this seemed a bit weird. I did some packet capturing and found that the file that requests that record is called "serviced.tdi", and it sits in C:\Users[username]\AppData\Roaming\SpeedCrunch.
So, does SpeedCrunch contain a coin miner? Or what is the purpose of this file? If your application contains a coin miner then it should probably tell the user? I found no such information in the manual, and the source code also doesn't seem to reference it. Maybe I oversaw something, could someone clarify this?
Oh and the file also doesn't get deleted when you uninstall the program. Is the miner deactivated upon uninstalling the program or does it just keep running?
Comments (2)
-
-
- changed status to invalid
- Log in to comment
There is no miner included in SpeedCrunch, either in the official releases or the nightly builds I manage.
If you look for "serviced.tdi" in a search engine, you will end up on multiple reports about that miner. Each time, the file is located in a folder like "C:\Users\<USER>\AppData\Roaming\<APP>\serviced.tdi" (Skype here, Unity3d there and even the AVG anti-virus here). My guess is the malware installs itself in an already existing random folder in "C:\Users\<USER>\AppData\Roaming\" so that it looks legit.
You should find out how you got infected in order to remove the miner for good. Maybe the solutions given in the forum posts I linked to can help.