The principle of operation of a virus miner is to get into the system and begin to consume computer resources, loading the processor or video card to the maximum in order to generate income for the attacker. Profit is accrued in BTC.
The program developer makes money on the power of other users’ equipment. A virus can cause the loss of personal data, disable the Windows operating system and facilitate the penetration of new threats. In this article, we will look at different methods of fighting malware.
How to detect a miner?
It is important to recognize and eliminate malware in a timely manner. You should check your computer for the presence of such programs in the following cases:
- Slow PC operation. The processor load graph, which can be viewed in the task manager, shows load up to 40-100%.
- Miner may overload your video card. This can be tracked when opening any program that displays the map load percentage. When heavily loaded, the card coolers begin to spin faster and make noise.
- RAM consumption increases. You can check this in Device Manager.
- High consumption of Internet traffic, deletion of files, periodic Internet shutdowns or sluggish PC operation.
- Windows malfunctions or errors in installed programs.
If at least one of the reasons is present, we recommend checking for viruses.
Why is a miner dangerous?
Miner is dangerous for your computer and can cause serious damage:
- Reduces the service life of components. During mining, the computer operates at maximum power for a long time. This shortens the life of the processor, video card, RAM, and cooling system.
- Limits performance. Miner takes away the main power from the infected computer. Only a small part of the productivity is left to solve the user's problems.
- Provides access to personal data . Since the miner is a Trojan virus, it can detect the user’s personal information and transfer it to attackers. As a result, fraudsters gain access not only to equipment capacity, but also to confidential information.
The actions of the malicious program are controlled by a special service, so they are invisible to the user. The same service controls the inclusion of system activity scanners in order to immediately remove the malicious object from the list of running processes when the scan begins. The most dangerous viruses can disable monitoring programs.
How to find and remove a hidden miner - a program for detecting miners on a computer
How to check your computer for miner viruses? Before scanning your computer, you must install an antivirus. Popular antivirus programs include the following:
- Kaspersky Rescue Disk or Live Disk from Dr.Web are emergency boot disks with a built-in anti-virus scanner. While they are running, the malware becomes deactivated. After this they are easy to remove.
- Dr.Web Cureit is a program for searching and destroying all threats on a PC, including miners and Trojans.
- Malwarebytes Anti-Malware is a program with advanced features. When scanning, it can identify threats that other programs have not detected.
- adwcleaner . The program detects serious threats and eliminates them.
- CCleaner organizes Windows work: it cleans, deletes unnecessary files and corrects registry entries. You can start scanning your computer only after all utilities have been installed.
Before starting the scan, you must close all running programs. The fewer of them open, the better for scanning, since miner disguises itself as other programs. If there are no open applications, it will be more difficult for him to remain undetected. Only Windows Update and antivirus can be left enabled.
Detecting a virus using Task Manager
Atypical PC behavior is a signal that it’s time to run a scan of all systems. You can find miner through the task manager. On Windows, it is opened through the menu or by pressing Ctrl + Alt + Del or Ctrl + Shift + Esc. It is necessary to close all programs, open the “Task Manager” and, with complete inactivity, when even mouse movements are excluded, observe the processes for 10-15 minutes.
If any activity is noticed, you should continue checking. The virus can continue to load the computer's power even though all programs are closed. The source of the activity is displayed in the “Details” tab. Some miners hide in the graphics card rather than using the CPU. Special applications, for example, AnVir Task Manager or Process Explorer, will help you detect them.
There are miners that can stop the Task Manager a few minutes after it starts. There are also web miners that connect to a computer through a specific website. If you see excessive browser activity in the Task Manager, you need to check your device for hidden threats.
Removing the mining virus
After reviewing the terminology, we come to the actual removal of mining pests. This removal is carried out in various ways. It will be better if you consider each option, because... Most likely, you will be able to remove pests using only a certain method.
Now let's think about how to remove Miner. The answer is very simple, when we launch the “Task Manager”, this pest stops its activity for a while. That is, he seems to fall asleep. From here, we will do the following:
- Launch “Task Manager”;
- The virus goes to sleep. At this time we are launching an antivirus. While the virus is sleeping, the antivirus begins to scan the system and finds the miner;
- After this, we remove the miner with an antivirus.
This is the very first method to remove Miner. I advise you to use it first, only if it does not help, we use the other methods!
How to remove a virus using the program?
Miners may not be recognized by antivirus software as a threat. When scanning, the antivirus may classify them as potentially dangerous, but nothing more. In addition to antiviruses, special utilities are suitable for searching for miners. One of the most popular and free is Dr.Web CureIt.
You can try to eliminate the miner manually. When deleting, it is important to be sure that it is the virus that is found. If there is no doubt, then after this you need to enter the query “regedit” into the Windows search and then press Ctrl + F to launch an internal search. In the line that appears, you must write the name of the malicious program from the task manager. All detected objects will need to be deleted and then the device rebooted. In the Task Manager, check if the work has improved.
There are also other ways to remove the miner:
1. Using the "Task Manager":
Step 1. Sequentially open “Control Panel” - “Management” - “Task Manager” - “Details”.
Step 2. Read the list of tasks, find questionable tasks. Typically, a virus differs from others by having an unrelated set of characters.
Step 3. On the “Actions” page, find the launch of the file with the name from the previous paragraph.
Step 4. The miner can masquerade as a system update. To check, you can write the name of the file in a search engine and see what it launches.
Step 5. Using a search in the registry, first find all matches, and then delete the files.
Step 6. Restart your computer.
2. Using AnVir Task Manager:
Step 1. Download and install the multifunctional process manager AnVir. Step 2. Open the utility and use it to examine all active processes. If any of them seems suspicious, hover your cursor over it so that information about the program appears. Next, press RMB and go to “Detailed information” - “Performance”. Step 3. Select “1 day” and look at the PC performance for this period. Step 4. If the system was heavily loaded with some process, then hover the cursor over it and write down its name and path. Step 5. Press RMB - “End process”. Step 6. Write “regedit” in the Windows search bar and go to the registry. Step 7. Next, perform the actions “Edit” - “Find”. Write the name of the suspicious file and delete all matches. Step 8. Uninstall the program. Step 9. Scan the system with an antivirus. If threats are found, they need to be removed. Step 10. Restart your PC.
When regularly downloading content from pirated portals or unverified files, it is important to regularly conduct a full scan of your computer. Pay attention to the operation of the equipment. It shouldn't make noise.
What is the harm of shadow mining, and what is a miner virus?
Software virus.
Most ordinary users do not know what kind of process is called mining, and therefore do not realize the danger of hacker programs.
Shadow mining, in simple terms, is solving mathematical problems using someone else's processor or video card.
Hidden mining is carried out on any device with a processor:
- On smartphones and tablets, and most often Android suffers from the miner virus.
- On desktop computers and laptops, the Windows operating system is most vulnerable.
While the unsuspecting owner of the equipment is minding his own business, working with documents, watching a movie or playing a game, or logging into a zencash wallet, for example, the attacker receives cryptocurrency for the equations that the processor solved.
The virus is independently transmitted from one owner to another, and can infect home and office computer networks. It brings especially a lot of cryptocurrency to hackers when it gets into the banking system or into a research center where there are many powerful computers that work around the clock.
Consequences of infection by a miner
Infected code.
Mining requires a lot of power from a computer (power supply for mining) or smartphone, that is, it puts a heavy load on the equipment. The virus causes the following consequences:
- Rapid wear of parts. This especially affects processors.
- Overheat. An increase in temperature leads to a slowdown and deterioration in the operation of the device; the computer or smartphone begins to slow down, freeze, or constantly reboot. In the latter case, hackers, of course, will not get their money, but the person will not be able to use the equipment normally.
- Breaking. If a smartphone or PC has low-quality parts, then the extreme load can cause the contacts to burn out.
In specialized mining farms and centers, much attention is paid to cooling computer equipment. There is a high-quality and uninterrupted power supply, fuses against power surges in the network. Miners try to optimally calculate the load so that ASICs and video cards are profitable, but at the same time remain operational for a long time.
Hackers do not spare other people's equipment and try to get the most out of it. Home computers and smartphones do not have a high-quality cooling system, and they do not need one during normal use. Owners usually do not monitor the temperature of the processor, and the system cannot cool itself on its own, as a result of which sooner or later the equipment fails.
As a result of the virus, the computer owner will experience an increase in energy costs. This is more relevant for home networks of two or more computers.
Types of mining viruses
Types of malware.
There are 2 types of mining malware.
View | Activity | What is |
Browser, online | They work the moment a browser tab is open. | A script written in the code of a web page. |
Desktop or mobile | They work when the computer is connected to the Internet, and it does not matter whether the person is online or not. | Code located in a file in one of the computer's system folders. It starts executing when you turn on the network; if there is no Internet, it cannot engage in mining. |
Browser viruses are less dangerous than desktop viruses because the malicious code is not saved to the computer. The miner script does not overload the processor so much, but if a person visits the infected site regularly, then the computer equipment still suffers damage.
The rarest type of viruses are mobile ones, because smartphones do not have as powerful a processor as a computer. It is less profitable for attackers to mine via phone.
Ransomware viruses that steal users' personal files, encrypt information and demand ransom in cryptocurrency are not miners.
The names of mining viruses are not particularly often mentioned in the press, because such software is not easy to detect and differentiate. Here are 3 known families of viruses.
Family name | Peculiarities |
CPU Miner | Includes more than 10 types of malware. |
VnIgp Miner | Successfully hides from antiviruses. |
Bad Miner | It quickly disables computers and places a heavy load on the processor. |
Bitcoin Miner | Prefers to mine only bitcoins. The infection was discovered by Kaspersky Lab; the Bitcoin miner virus loads the processor up to 95% of maximum performance. |
Hackers are constantly improving their code and creating new solutions.
Task Manager.
For example, until 2022, it was possible to detect miners using Task Manager. This is a panel showing the load on the processor, to call it in Windows, you need to press Ctrl+Alt+Del on the keyboard and select “Show task manager” from the list; you also need to find out how to find out the hashrate of your video card.
Modern desktop viruses have learned to immediately stop mining when the Manager is launched, so that they cannot be noticed due to the increased load on the processor. Browser scripts do not do this yet, and if some tab in which a long video in Full HD quality does not load causes more than 30% of the CPU load, then this signals a Trojan.
How can you become infected with the virus?
Carefully.
Browser viruses can be found on websites of absolutely any topic, not necessarily dedicated to cryptocurrencies. Recently, scammers have fallen in love with the “female theme”:
- cooking;
- raising children, family relationships;
- psychology;
- handicrafts and plant growing;
- pet care;
- health and beauty, manicure;
- astrology, Tarot fortune telling, mysticism, etc.
Visitors to such sites usually have less knowledge of computers than, for example, programmers, and therefore are easier to use. Women can visit the same web resource many times and give attackers the opportunity to earn money again and again.
Browser viruses are often installed on sites where the visitor spends more than 10 minutes of time. The following types of web resources are subject to infection:
- Online cinemas, especially with full-length films lasting more than an hour.
- Services for listening to music online.
- Online Games.
- Services for drawing, creating business card templates, etc.
The owners of all these sites have no idea that there is a script miner on their web resource. Such code can be inserted not only by hackers, but also by employees working for the webmaster, for example, a programmer, layout designer, content manager, or anyone with access to site administrator rights.
The second type of viruses, desktop, infects computers when downloading any files and programs:
- films and music;
- books and other texts;
- drivers, for example, for a printer, etc.
The miner virus can be downloaded along with a wallet for storing cryptocurrency. The logic of hackers here is clear: if a person wants to download a wallet, then he probably has quite powerful equipment for mining cryptocurrency, and he can make good money on it.
The malicious code of the miner can be combined with other programs, for example, with those that steal money from a wallet or remember and transfer passwords, PIN codes, private keys and seed phrases to attackers.
Viruses-miners for video cards are especially often installed in hacked computer games and cheats for them. Gamers, however, quickly notice unwanted code based on a drop in FPS (frames per second) and try to remove such a game, but the virus still remains in the system files.
Hackers use various tricks to force a person to download the file they need:
- Hacking accounts in instant messengers and social networks. A file is sent to all the victim’s friends, for example, a picture with the caption “Look how funny they took a picture of you here!”, a text file with the comment “I’ve been wanting to tell you this for a long time, and now I finally decided” or an audio track “This song reminds me of you, Be sure to listen!” Skype is especially weakly protected, as it does not allow you to view files without downloading.
- Email newsletters. Hackers are well versed in social engineering and send messages that people cannot ignore. This could be, for example, a letter from a bank or from the tax office.
After downloading a file to a computer, a person may realize that he has been deceived and will launch an antivirus, but in the case of high-quality virus miners, this will not help.
Symptoms of infection, how to recognize miner viruses
Dispatcher.
You can suspect something is wrong based on the following signs:
- The computer's fan is noisier than usual. Thus, the system tries to cool the heating processor. This is a consequence of the work of miners on central processors and video cards.
- The video or computer game is slow. Miners on video cards lead to this result.
- When you open three or more tabs in your browser, your computer's speed decreases. This is a sign of a browser virus.
- There is an interesting class of viruses that disable the Task Manager for 3-5 minutes. If the user opens it and leaves the computer, then after a short time the program will close it so that the Manager does not interfere with its mining. It is important to know that the Manager should not close on its own.
As the hardware wears out, the system begins to reboot, may burn out, and it all ends with the equipment being unable to be turned on at all. Moreover, if the processor burns out, you can replace it and again gain access to your files on the hard drive. If the hard drive also suffered from unstable operation of the electrical network, then the files will be completely or partially lost.
You can understand more about the symptoms of infection and how to get rid of the miner virus from this interesting and useful video review.
How the virus miner works
Malware works on the same principle as any other Trojans:
- It gets onto the computer and is installed on the C drive or any other drive where the system files are located. Sometimes installation occurs in the temp folder, where temporary files are stored.
- It disguises itself as service information, for example, as a browser update, or creates a Windows folder with the Russian letter “o” to distinguish it from the normal operating system folder.
- It starts and stops its work according to the algorithm specified by the developers.
Viruses can even update their code by masquerading as updating browser applications or drivers.
How to find and protect your PC from hidden mining?
To protect against malware, you must perform the following steps:
- Install a reliable antivirus and regularly update its antivirus databases and scan to identify threats.
- Install only necessary programs on the operating system and restore it when the first signs of infection appear or once every 2-3 months as a preventive action.
- Add to the hosts file blocking malicious sites according to lists available on the open resource GitHub using the algorithm described in the section on protection against browser mining.
- Prevent installation of software on the operating system. To do this, you can disable the launch of Windows Installer: press Win+R, run the gredit.msc program, follow the path “Local Computer” - “Computer Configuration” - “Administrative Templates” and in the “Windows Installer” directory activate the “Disable” option in the menu "Disable Windows Installer."
- Allow only verified programs to run. To do this, you can change the local security policy by running the secpol.msc program, and also activate the “Ignore certificate rules” option.
- Allow access to the computer only on trusted ports. This is done in the firewall and antivirus settings.
- Prohibit remote access from the Internet to your home router, and also change the default password set on it (according to its operating instructions).
Create a system backup
I have already talked many times about creating a system image at a time when there were no failures on the system. I create this backup several times a year. But most of my readers continue to ignore this method, but in vain. Let me remind you that to create a system image I use the free program AOMEI Backupper Standart . I will not talk in detail about this software now, since I have already written a detailed article about it. To learn more about this method, you just need to follow the link...
More complete information can be obtained from the video.
Precautionary measures
Precautionary measures when working on a computer can reduce the risk of infection by hidden miners, as well as other viruses. Simple safety rules when working on a computer are as follows:
- Do not use or install pirated software, as well as programs downloaded from unknown resources;
- Limit the list of people who have access to the computer. Set passwords and limit the ability of third parties to install programs.
- Enable a firewall on your computer and router, as well as use other types of protection that are supported by your specific router model.
- Limit as much as possible visiting sites with questionable content, avoid sites without ssl (https) certificates.
- Install special add-ons in your browser that block mining script codes on websites.
- As little as possible, disseminate information online that could facilitate hacking. Try not to store passwords and personal information.
- Regularly update the antivirus program and its database with virus definitions, as well as critical operating system security updates.
Browser mining protection
The key signs of browser mining are a slow computer on some sites, high processor load when viewing certain sites. The following methods are used for protection:
- Blocking malicious sites used for hidden mining in the hosts service file.
- Using anti-mining programs that also remove mining viruses.
- Disabling support for running JavaScript scripts in the browser by deactivating the corresponding item in its settings. This avoids infection but limits your browsing experience on sites that use this technology to display content.
- Using special browser add-ons and add-ons. This allows you not to give up browsing the Internet. The most common add-ons and add-ons for protection against mining are NoScript, NoCoin, MinerBlock, Antiminer and others. Modern browsers have built-in support for mining protection, which is activated in the ad blocking settings (No Coin item).
- Using filters in uBlock, AdBlock and similar applications.
As a rule, add-ons that block ads have separate settings that allow you to activate lists that filter browser-based mining, or add your own domain filters that are used for hidden mining.
Yandex and Google have protection and anti-malware measures:
- Yandex protection. Since March 2022, Yandex has launched automatic protection against mining in the Yandex browser for all platforms. To do this, a special algorithm is used to monitor processor load when working on the Internet. Blocking of mining scripts is carried out automatically and does not affect the operation of the site. To view the load of Yandex browser processes, you need to press Shift+Esc and see the processor load. In this window, you can analyze each site, extensions and tabs for CPU load.
- Google protection. In July 2022, Google banned the hosting of mining programs. The Chrome browser from Google allows you to protect yourself from mining in the browser by using add-ons, as well as by activating the “Protect your device from dangerous sites” item and in the additional settings menu “Find and remove malware”. To detect mining while the Chrome browser is open, you also need to press Shift+ESC and analyze which processes consume the most resources.
Miners disguised as browser plugins
Another type of miners are browser plugins. In this case, a well-known application with built-in malicious code is also used. Sometimes attackers create and promote a malicious application with a name similar to the name of a popular program.
An example is Tool.BtcMine.1046. The SafeBrowse plugin for the Google Chrome browser was designed to earn a wide range of cryptocurrencies - Monero, Dashcoin, DarkNetCoin, etc.
Or the more ancient Trojan.BtcMine.221, designed for mining the Litecoin cryptocurrency. It was distributed from several attacker-owned websites under the guise of various applications - for example, a browser add-on that supposedly helps in selecting goods when making purchases in online stores.
And finally, the most “fashionable” option is scripts on the site. It has been repeatedly noted that the benefits from such a technology for earning money are extremely small, but nevertheless, more and more sites are joining the race for cryptocurrencies. Interesting examples include a miner that created an invisible pop-up window hidden behind the tray on the Desktop, or malware that replaced the contents of inactive browser bookmarks.