URL:
hxxp://btcguild.com:8332/
hxxp://btcguild.com:8332 -u chakan_1 -p 123
hxxp://btcguild.com:8332 -u graskla_1 -p 123
DATA:
POST / HTTP/1.1
Authorization: Basic Y2hha2FuXzE6MTIz
Content-Length: 43
User-Agent: Ufasoft bitcoin-miner/0.20 (Windows NT XP 5.1.2600 Service Pack 3)
Host: btcguild.com:8332
Cache-Control: no-cache
{“method”: “getwork”, “params”: [], “id”:0}
Actions Detected:
Creates autorun records
Injects code into other processes
Patches system files
Samples:
hxxp://193.107.18.123/1.exe
hxxp://193.107.18.123/2.exe
Hosting infos:
http://whois.domaintools.com/198.154.98.210