HEUR: Trojan.AndroidOS – what kind of virus is it, how to remove it

Computer security is important to every user, no matter what the PC is used for. But those who store financial data on it need to be especially careful about the security of personal information and the proper operation of the equipment. Otherwise, they will have to face the dangerous bitcoin miner virus. It can bring a lot of trouble and make victims worry. And those who have not yet encountered such a problem should think in advance about how to find and remove the miner virus.

It is worth getting to know the potential threat before meeting it, so that you know what to do when identifying a Trojan. This will reduce possible losses and cure infected equipment as quickly as possible.

What is a miner virus?

Despite the self-explanatory name, which indicates the connection of the malicious file with cryptocurrencies, almost every user is capable of becoming a victim, even those who do not understand virtual money and have not thought about purchasing them.

The name is associated not with potential victims, but with the behavior of the Trojan.

By infecting a computer, it begins to use free resources for mining in favor of the developer.

As a result, this computer becomes part of a huge Bitcoin mining farm. Only the profits are made not by the owners of the equipment, but by the creators of the dangerous program.

The main difficulty that victims face is that the PC constantly freezes. Available resources are spent on earning cryptocurrency, and other programs are unable to work normally.

Additionally, theft of important data is possible, but this rarely happens, since the main goal of the malware is completely different. This does not mean that you should not worry about the safety of passwords, codes and personal information.

They could have been stolen to be used later.

How does infection occur?

Infection with a miner virus is no different from infection with other malicious files. Careless users follow unverified links, download programs from unfamiliar sources, and simply visit dangerous sites. Most often it hits computers and laptops:

• via Skype;
• while updating torrent trackers;
• from email;
• when clicking on unfamiliar links on social networks.

As a rule, it cannot be detected immediately after it hits the PC; it takes time to occupy the disk space needed for operation and take over free system resources. And at the moment when it is discovered, it can be quite difficult to correct the situation.

Given that a Trojan can end up almost anywhere, there is no single answer to the question of how to determine which sites and activities to avoid. You can become a victim even if you take precautions.

What kind of viruses are these?

The HEUR: Trojan family is the most dangerous of modern viruses on Android, iOS and Windows, which is characterized by expanded functionality, deep penetration, and therefore an increased level of threat to the user.

AndroidOS discovered by Kaspersky

These malware sneak into the system files of a smartphone or PC, cloning at an unprecedented speed, and can also masquerade as ordinary files, processes and harmless applications.

Unfortunately, due to the evolution of malware, antiviruses are not always able to warn the owner about the threat of a downloaded file or page being visited, which causes the spread of such an “infection.” Modern systems are protected by Administrator rights, however, viruses can bypass this point.

Popular “features” of HEUR:Trojan include:

• Sending messages to paid numbers, confirming paid subscriptions to withdraw funds from the account balance.
• Theft of personal data, including passwords from financial resources, bank card numbers with all that it implies.
• Penetration directly into Internet banking programs and electronic wallets for seamless transfer of funds to third-party accounts.

Sounds pretty terrifying, doesn't it? One good thing is that this variation of the virus is already recognized by most antivirus programs Kaspersky, ESET, Dr.WEB, NOD, AVAST and others.

Sberbank Online protection, for example, already identifies an intrusion attempt upon logging into the system and offers to remove the virus. However, you should not rejoice ahead of time - such removal will not lead to the complete destruction of the virus.

Trojan.AndroidOS identified by Sberbank Online What viruses are there?

If we talk about the possible reasons for the appearance of malware, then everything is simple - simple carelessness on the network:

• Downloading pirated versions of games and other apk files to a smartphone from third-party resources.
• Visiting dubious websites with many pictures, gifs and hyperlinks. In this case, the download of the virus can be activated by a random click in the background.
• Exchange files with already infected users - via Bluetooth, Cloud and similar services.
• Follow links in spam messages sent by email or SMS.

Popular variations of HEUR:Trojan include:

• AndroidOS.Agent.EB or Androidos.Boogr.Gsh – installs a special utility into the system that introduces advertising into all other applications. Used for monetization through such impressions.
• Downloader.AndroidOS.Agent is an SMS virus used for paid subscriptions and sending messages to tariffed numbers.
• Script.Generic.Miner.Gen – selling user traffic, downloading and redirecting files (significantly slows down the Internet connection).

There is also a Win32.Generic type - this is a file that is suspected of a virus system. This type can even include official applications whose code contains scripts that track or intercept information.

How to find a miner virus?

The main sign of the appearance of bitcoin miner is freezing and slow operation of the system. As mentioned above, this is due to its use of all available resources. But such problems are not always associated with malware, so the next step that needs to be taken to ensure the absence or presence of a Trojan is to check running processes.

To detect a dangerous process, you will have to turn on the task manager (on most modern devices, press ctrl, esc and shift simultaneously) and carefully examine the existing processes.

If you detect a strange program that uses a large amount of memory and heavily loads the processor, you should sound the alarm.

If the discovered process does not eliminate your doubts, you should remember its name and look for a description on the Internet. The result will not be long in coming, and the user will have to think about how to deal with the problem that has arisen.

If you have any questions, please let us know Ask a Question

How to deal with miners

In the browser

1. Go to https://cryptojackingtest.com/, which will check if your browser is secure. The test is free, but the results are not always correct.

• Green inscription YOU'RE PROTECTED - your browser is protected.
• Red inscription YOU'RE NOT PROTECTED - your browser is vulnerable.

1. Download browsers with built-in mining protection. Opera and Yandex.Browser support such features.
2. Disable JavaScript in your browser. The solution is radical, because many sites require JavaScript to function properly.
   Chrome: “Settings” – “Advanced” – “Content Settings” – “JavaScript” – Move the switch to the “Blocked” position.
3. Firefox: “Settings” – “Content” – uncheck “Use JavaScript”.
4. Opera: “Settings” – “General settings” – “Advanced” (“Advanced”) – “Content” – uncheck “Enable JavaScript”.
5. Anti-Web Miner application. Download from GitHub, install, use.
6. Browser extensions. NoCoin, AntiMiner, MineControl, MineBlock, etc.
7. AdBlock browser extension. You need to add to the filters:

• ||coin-hive.com^$third-party
• ||jsecoin.com^$third-party
• ||miner.pr0gramm.com^
• ||gus.host/coins.js$script
• ||cnhv.co^.

1. Malwarebytes app. The premium version protects against new miners in real time. The free one finds everything you caught earlier and moves it to quarantine.
2. On Windows, edit the file C:\Windows\System32\drivers\etc\ On macOS, enter the command sudo nano /etc/hosts/ in the terminal.

At the end of the hosts file you need to add the line 0.0.0.0 coin-hive.com - it will not allow the device to connect to the server on which the most famous mining script is located. You can redirect to 0.0.0.0 and other domains found to be distributing malware:

• 0.0.0 azvjudwr.info
• 0.0.0 cnhv.co
• 0.0.0 gus.host
• 0.0.0 jroqvbvw.info
• 0.0.0 jsecoin.com
• 0.0.0 jyhfuqoh.info
• 0.0.0 kdowqlpt.info
• 0.0.0 listat.biz
• 0.0.0 lmodr.biz
• 0.0.0 mataharirama.xyz
• 0.0.0 minecrunch.co
• 0.0.0 minemytraffic.com
• 0.0.0 miner.pr0gramm.com
• 0.0.0 reasedoper.pw
• 0.0.0 xbasfbno.info

On PC (outside the browser)

1. The already mentioned Malwarebytes application.
2. Antivirus with a fresh database. For Windows users: the standard Windows Defender most often does not block the popular Coinhive, so it’s worth installing something more reliable.
3. It would be a good idea to launch the task manager in Windows or another application to monitor the consumption of computer resources (AIDA64, AnVir Task Manager or analogs). For macOS, go to “Programs” – “Utilities” – “System Monitoring”. If activity increases sharply and remains stable, even if you have Notes and Calculator open, task manager or its equivalent, remove processes that are taking up too many resources. Then you clean everything with antivirus and Malwarebytes.
4. TDSSKiller will help kill rootkits that mask traces of a miner in the system.
5. AVZ utility. Download, update the database, click “Explore system”. You get avz_sysinfo.htm. You can post it on the Kaspersky Lab forum and ask for help. If you are successful, they will help you create a script that will disarm the miner. But before that, it is recommended to do everything we wrote about above.

On a smartphone

1. First of all, do not download applications that promise crazy thousands of money from mining on a smartphone. And other suspicious applications. Especially from leftist sites. Battery replacement / specialist services cost more than you can mine.
2. To combat browser mining, use browser extensions or browsers with anti-mining protection.
3. Install a reliable antivirus and update the database regularly.
4. Monitor the loading of smartphone resources.
   iOS: “Settings” – “Battery”.
5. Android: “Settings” – “Battery” / “Battery”.

If you see processes and applications that are consuming more than they should, feel free to delete them.

How to remove a miner virus from a computer?

Having figured out why the miner virus is dangerous and how to detect the problem, you should move on to solving it. And the first thing a PC owner needs to take care of is saving the information and files he needs. To do this, they should be transferred to a flash card in advance or, if their volume is too large, to an external hard drive. If your Internet speed allows, you can use cloud services.

Next, you should find and install an antivirus and start scanning your computer.

Usually, high-quality modern programs can easily identify dangerous files and delete them.

True, in some cases this seriously affects the operation of individual applications, but the security of the system and personal information is much more important. And the most useful components had to be transferred to a separate medium.

But when transferring them back later, you should carefully check the saved files for threats. This is the only way to avoid re-infection.

Viruses for mining on computers

The goal of this type of malware is to make your computer part of a botnet that combines the power of relatively weak devices for mining and other tasks. This is doubly profitable: firstly, attackers do not need to buy expensive miners or video cards, and secondly, they also do not have to pay for electricity.

Often, attackers use legal miners. But they install them without the knowledge of the device owner, hide the work of the miner and indicate their wallet for the mined coins.

Usually the miner gets to the computer using a dropper. This malware is often included in pirated versions of popular programs or activation key generators. After launching the file, an installer is installed on the victim’s computer, which directly downloads the miner and a utility to disguise it in the system.

Often, the kit includes tools for autorunning the malware and configuring its operation. These services can pause the miner when the user launches a game or other resource-intensive application. This way, the miner will not give himself away and will spend maximum time on the victim’s computer.

Modern miners are capable of self-healing, stopping the antivirus, monitoring system activity and mining only during periods of low load.

Bitcoin miner virus: how to treat?

If all attempts made to treat your computer with a modern antivirus turned out to be useless, you should use one of the four remaining ways to deal with difficulties:

1. entrust the equipment to a professional;
2. use system restore;
3. reinstall the operating system;
4. find and remove the Trojan manually.

The first option practically guarantees a positive result, but is costly and sometimes turns out to be extremely inconvenient.

The second approach is acceptable only in cases where users took care of creating recovery points in a timely manner. If they are not there, you will not be able to roll back the latest changes.

The third method will lead to the loss of all unsaved information and will require not only the installation of the operating system, but also all additional programs that the PC owner used.

And the last method is suitable only for experienced users. It requires knowledge of the exact name of the malicious file and the ability to turn on the computer in safe mode. There is no single method for such inclusion, since it depends on the manufacturer of the equipment.

An additional disadvantage of this approach is the time that will be spent searching for all dangerous files.

What should you do after treatment?

Having dealt with miner, you should take care of the security of the system. The first step is to make sure that the trouble is a thing of the past and that the virus has been completely removed. Next you need to start changing passwords. This is especially true for email and important sites where confidential information is stored. These include electronic wallets. This is necessary to prevent attackers from stealing personal data or gaining access to finances.

It will not be superfluous to install an antivirus if this has not been done previously. It is necessary to keep it up to date so that not a single dangerous program becomes a source of new experiences.

Once you understand security and passwords, you can return saved files.

But it is important to reiterate that they should be carefully checked before being transferred to the hard drive.

They will burn a virus that was only recently destroyed on the PC. Knowing how dangerous bitcoin miner is and what kind of virus it is, you should avoid mistakes once made.

Where can you get the virus?

The most common cause of viruses is typical carelessness:

1. Downloading games that do not have a license, downloading media and audio files from dubious resources.
2. Visiting sites where there are many pictures, gif animations, and various links that are distributed like spam in email inboxes. In this case, catching a virus is as easy as shelling pears, since one click on the wrong button and the virus is activated immediately.
3. Transferring files between users, one of whom is already infected with a virus.
4. Clicking on suspicious links in SMS messages or emails.

What Trojans are most common:

• Agent.EB or Androidos.Boogr.Gsh allow you to install a special program that can introduce advertising into all third-party applications.
• AndroidOS.Agent is a type of virus that spreads via SMS, and it is used to create paid subscriptions to the same numbers.
• Generic.Miner.Gen is able to sell traffic, download various kinds of files and redirect to the desired address.
• Generic - this file is questioned by the virus system; this type also includes official applications in which programs that track information are found.

Precautionary measures

The described Trojan is only one of the brightest representatives of mining viruses. Such malicious programs appear with enviable regularity, so it is almost impossible to describe each one. But this does not mean that they are less dangerous and do not pose a threat. Therefore, in order to avoid becoming a victim of a virus attack, you should take care of protection in advance. To do this you need:

• install a good antivirus and keep it updated;
• take care of a restore point (to do this, read articles on how to create such points and keep them up to date);
• do not visit dubious sites and do not download strange, unknown files from unfamiliar sources;
• monitor installed programs;
• update software in a timely manner;
• do not save important logins and passwords (it is safer to write them down on a piece of paper and keep them in a safe place);
• Do not share personal information and passwords with strangers.

It must be remembered that maintaining security is a personal matter for each user, and the most reliable way to avoid trouble is to carefully monitor the actions taken and think about your own actions.

Working with finances does not tolerate a dismissive, frivolous attitude.

Such behavior can become a source of enormous difficulties and even financial losses. In extreme cases, everything can be done by simply repairing the equipment, but even this will bring a lot of worries and lead to unexpected expenses.

SpeedFan setup Video programs

In this article we will talk to you about effective cooling of your computer.

Are you familiar with the problem of your computer overheating?

In order for the heat exchange between the components in your system to be more efficient, you simply need to take a number of preventive actions.

First, let's find out with the help of which programs you can monitor the main temperatures of your components.

I recommend using the free PC Wizard 2010 program. The presence of the Russian language is also a plus.

After opening the program, go to the special hardware section, and then click on the icon that resembles a voltmeter. Let's now look at what these or those lines mean.

group temperatures (SYSTIN, CPUTIN, AUXTIN) are temperatures inside the case. CPUTIN – overall temperature of the central processor.

Next is the speed reading of our CPUFAN 1875 rpm

(rpm).

If the RPM is not displayed, then most likely the fan is faulty and needs to be replaced. Otherwise, unstable fan operation will cause the CPU to overheat and reduce computer performance. Well, if the fan does not physically spin at all, then the processor is damaged.

I myself had a situation where the fan seemed to be working, but at times it stopped. So watch this moment.

Next is the temperature for the Core 1 and Core 2 (if you have a multi-core processor).

During idle time (that is, when you are not running any heavy programs or games), the temperature should be around 40-60 degrees. If it is higher, you have a cooling problem. Since under load on the central processor the temperature will increase further.

This can happen due to an ineffective cooler, incorrectly applied thermal paste, or dusty radiators.

A radiator and fan are used to cool the processor and video card chip. Thermal paste is applied between the chip itself and the surface of the heatsink for effective heat exchange. The radiator dissipates heat over its area, and the fan adds fresh air.

Don't let your computer get into this state:

You need to clean it with a brush, from which the lint should not fall out. It is better not to use a vacuum cleaner, especially if you have not done this before. You might accidentally damage something.

Also, over time, thermal paste may dry out and need to be changed. About once every six months a year. It can be easily removed from the central processor, for example with cotton wool.

It's more difficult with a GPU. They usually use the so-called thermal gum. Over time, it hardens and loses its heat-conducting properties. You can't just rip it off!! Otherwise you will damage the surface of the chip. For example, I used nail polish remover. Removes thermal gum very well.

On the topic of the processor, you can watch this video:

Next you can see the temperature of our video card. In this case, it is the GeForce 9800GT – 42 degree chip and 41 degree printed circuit board itself.

It all depends on what kind of video card you have. If this is a top-end and expensive model, then the idle temperature can reach 60-70 degrees and this is normal.