7

My Kaspersky Internet Security said it detects a trojan at (do not go to the link below, my KIS said it's trojan): 

https:// coinhive.com/lib/coinhive.min.js

The Trojan name is Trojan.JS.Miner.d.

When I see this trojan, I have to monkey around with KIS so I'm so scared that this Trojan may infect my PC now. I want to know what is this trojan, and can I check if my PC is infected with this trojan or not?

schroeder
  • 123,438
  • 55
  • 284
  • 319
123iamking
  • 235
  • 2
  • 3
  • 9

3 Answers3

16

This is neither a virus nor a trojan, and it does not make the site unsafe to visit in any way whatsoever. Your antivirus package is crying wolf.

Coinhive is a Javascript plugin which implements a cryptocurrency miner. While you view a web site which uses this script, your browser will perform calculations to mine cryptocurrency for the owner of the web site.

Some users find this script annoying and inappropriate, as it will increase CPU usage (and, hence, power consumption) on your web browser while you have the web site open. However, this will end as soon as you leave the site.

  • But what about this article: https://malwaretips.com/blogs/remove-coinhive-miner-virus/ . I can see the dangerous of this walware. – 123iamking Oct 01 '17 at 04:22
  • And I also want to know where it store the trojan on my PC? Is it hidden somewhere on the hardisk? – 123iamking Oct 01 '17 at 04:23
  • The article is (possibly intentionally) confusing. While it's _possible_ that Coinhive is being injected by a browser extension or other local software, it's much more likely that it's simply installed on a site you visited. If this is the case (it probably is), no software was ever installed on your computer. –  Oct 01 '17 at 04:54
  • 2
    The point is: if the Administrator of the Site installed Coinhive on his site, its ok. If you install it on your site it's ok. If one of these two are not given, it is their problem. So in short: if you don't have installed somekind of Coinhive miner in your browser but an addon load it. You are infected. If the Website has a Miner but the Administrator didn't install it, it was hacked. – Serverfrog Oct 13 '17 at 11:28
  • 3
    One other hint: many Antivirus Companies will show this because of two things: first it can be bad if a third party install it (it will consume your power) and the other thing is: you won't buy a antivirus solution which doesn't tell you sometimes that it found something – Serverfrog Oct 13 '17 at 11:30
  • How is a miner that performs illegal harvesting of your computer not a virus ? – Overmind Dec 08 '17 at 10:43
  • @Overmind define "virus" in this instance. PUPs (potentially unwanted programs) != viruses. You also assume illegality. And these do not "harvest" a computer, even if unwanted. – schroeder Dec 08 '17 at 12:00
  • 4
    @Overmind Is an annoying flash animation on a website that increases my cpu usage a virus? – Tom K. Dec 08 '17 at 12:01
  • Nothing "potentially" about it. – Overmind Dec 08 '17 at 12:47
  • Of course it's potentially. Some people don't mind "paying" for a service with some processing time. Especially when the mining replaces annoying ads and is configured to not use all resources. – Malte Köhrer Dec 14 '17 at 12:21
  • It's not a virus, but it's malware. Even though it doesn't damage the machine on which it runs, it indirectly damages the user by **stealing** energy for profit and slowing down everything else. Antiviruses are called like that because in the old days the only concern was about viruses, but they really should flag and block different kinds of malware, including miners. – Andrea Lazzarotto Jan 27 '18 at 17:42
  • @AndreaLazzarotto I'd be hesitant to use the term "malware". That still has some implication that it's resident on the end user's computer, which this software isn't. If a web site operator had a coin miner installed on their web site without permission, though, that might make it malware from their perspective. –  Jan 27 '18 at 18:27
  • @duskwuff I tend to disagree. According to Wikipedia (citing the US CERT) malware “can take the form of executable code, scripts, active content, and other software.” I personally would not consider a hard requirement that the script is permanently resident on the end user's client. – Andrea Lazzarotto Jan 27 '18 at 18:43
5

The article is clear enough-- it is a JS library that mines Monero (cryptocurrency).

On legitimate sites, it's innocuous but annoying. But it has been bundled with (and thereby associated with) more than a few types of browser malware that force it to run on all sites and send the money back to the sole executor, which is why the AV is flagging it as bad-- thanks to AV logic, a hammer is just a tool until it's used in a murder, then going forward it assumes all hammers are murder implements.

The fact that your AV picked it up over the wire from its original source indicates this is likely a false positive. If it had found it buried in some app-data folder somewhere you should be concerned.

Kyle Piira
  • 103
  • 1
Ivan
  • 6,288
  • 3
  • 18
  • 22
  • 1
    "If all you have is a hammer, you see all problems as nails". Now it is "if you see a murderous hammer, all hammers are murderers" – schroeder Dec 08 '17 at 10:47
  • minor (pun intended) note: it mines monero, not bitcoin – not22 Dec 08 '17 at 17:39
  • It appears in my Safari cache. Does this mean that it's been running in the browser continuously? – aris Feb 01 '18 at 22:25
1

There are many articles that talk about javascript miners, i.e. monero coin-hive.

All cryptocurrency miners are harmless UNLESS it is NOT running with user consent.

There are countless malware out there packed with legitimate miners, so for any antivirus, it is common sense to flag them, since users will complain that the AV is "not doing its job" when the system slows down or overheats!

(update) By the way, I don't think any organisation wants a lurking miner in their network. Well, unless their sole business is mining cryptocurrency blockchain.

mootmoot
  • 2,387
  • 10
  • 16
  • They all run without user consent. I have rarely seen sites that notify you of a coin miner. Yet they're harmless (regular sites with a coinminer). – EpicKip Dec 08 '17 at 12:42