Title: MtGox_client.exe Post by: jhfire on June 20, 2011, 06:06:23 AM I did actually decompile it. Here is proof as well as a thread mob closed. Thread: Proof: Title: Re: MtGox_client.exe Post by: DamienBlack on June 20, 2011, 06:07:22 AM Just so everyone is clear, this is a virus.
Title: Re: MtGox_client.exe Post by: jhfire on June 20, 2011, 06:09:38 AM Just so everyone is clear, this is a virus. I do understand this, I am experienced in the virus field. I wish to decompile and find out more information about it, can someone please download it and upload it. DON'T OPEN IT! A virus can only be harmful if you open it. Title: Re: MtGox_client.exe Post by: AnonymousBat on June 20, 2011, 06:16:55 AM I'd love a copy to load up into IDA as well.
Title: Re: MtGox_client.exe Post by: jhfire on June 20, 2011, 06:18:30 AM Does anyone have a damn copy? Stop being a pussy and please upload it. If you can get me that file I can get the hacker.
Title: Re: MtGox_client.exe Post by: GeniuSxBoY on June 20, 2011, 06:23:25 AM "hay guiz, can som1 giv me teh v1rus so I can h3xedit mi acc0unt informashunz n2 it?"
Title: Re: MtGox_client.exe Post by: jhfire on June 20, 2011, 06:24:22 AM "hay guiz, can som1 giv me teh v1rus so I can h3xedit mi acc0unt informashunz n2 it?" You haten son? Title: Re: MtGox_client.exe Post by: GeniuSxBoY on June 20, 2011, 06:26:01 AM When you change the information and link it to your account, there will be some other noob that goes "haaay look!! I found th mt gox hax0r!!"
Title: Re: MtGox_client.exe Post by: CYPER on June 20, 2011, 11:39:54 AM I had a feeling this was a virus, but just out of sheer curiosity I first scanned it with MSE and then opened it. No antivirus detects it as a virus, so how can I clean myself?
I haven't started mining yet and have no coins in the wallet, but how would I make sure my machine is clean before I do? Title: Re: MtGox_client.exe Post by: just_someguy on June 20, 2011, 11:56:24 AM I had a feeling this was a virus, but just out of sheer curiosity I first scanned it with MSE and then opened it. No antivirus detects it as a virus, so how can I clean myself? I haven't started mining yet and have no coins in the wallet, but how would I make sure my machine is clean before I do? Wow. It won't detect as a virus because its brand new. You are infected. Maybe someone will reverse engineer it and you figure out how to clean it up at a later date. Until then your machine is compromised and possibly every account you have accessed from it. Scrap the machine. Change the password to all your accounts. Title: Re: MtGox_client.exe Post by: 3txx on June 20, 2011, 11:57:50 AM to first poster:
If you still need the File, please send me your Email/Trashmail/Something via PM. I wont upload/download it. greets Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 20, 2011, 12:04:51 PM Just so everyone is clear, this is a virus. I do understand this, I am experienced in the virus field. I wish to decompile and find out more information about it, can someone please download it and upload it. DON'T OPEN IT! A virus can only be harmful if you open it. https://rapidshare.com/files/4215500226/MtGox_client.zip Warning, this file is a VIRUS. DO NOT RUN IT. Password: virus Title: Re: MtGox_client.exe Post by: CYPER on June 20, 2011, 12:11:44 PM Wow. I just found out there is an executable called xXXCFEA.exe that has outgoing connections from my machine and it disappears from the Task Manager list when I close the Bitcoin.exe:It won't detect as a virus because its brand new. You are infected. Maybe someone will reverse engineer it and you figure out how to clean it up at a later date. Until then your machine is compromised and possibly every account you have accessed from it. Scrap the machine. Change the password to all your accounts. [xXXCFEA.exe] TCP 127.0.0.1:58531 Black:58530 ESTABLISHED [xXXCFEA.exe] TCP 192.168.1.105:54354 giraffe:6667 ESTABLISHED [bitcoin.exe] TCP 192.168.1.105:56397 www:https CLOSE_WAIT [xXXCFEA.exe] TCP 192.168.1.105:59214 mx1:imap ESTABLISHED It's located in C:\Users\CYPER\AppData\Local\Temp I bet that's part of the virus. Do you think the virus is so sophisticated that it can extract all of my saved passwords from Firefox for example? Title: Re: MtGox_client.exe Post by: just_someguy on June 20, 2011, 12:20:20 PM Quote I bet that's part of the virus. Do you think the virus is so sophisticated that it can extract all of my saved passwords from Firefox for example? Assume it is. You need to wipe that machine and check anything else on your network. Title: Re: MtGox_client.exe Post by: Man From The Future on June 20, 2011, 12:35:01 PM http://www.virustotal.com/file-scan/report.html?id=b8e42f50c70c37967f5a89b556f732ba5e7f6d3a1e1a6d4dcd225f85ebf26963-1308572546
:( No detections Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 20, 2011, 12:40:06 PM http://www.virustotal.com/file-scan/report.html?id=b8e42f50c70c37967f5a89b556f732ba5e7f6d3a1e1a6d4dcd225f85ebf26963-1308572546 :( No detections As we've said, it's a new virus, so the AV's won't have a signature for it yet. Title: Re: MtGox_client.exe Post by: Man From The Future on June 20, 2011, 12:41:54 PM http://www.virustotal.com/file-scan/report.html?id=b8e42f50c70c37967f5a89b556f732ba5e7f6d3a1e1a6d4dcd225f85ebf26963-1308572546 :( No detections As we've said, it's a new virus, so the AV's won't have a signature for it yet. Which means a bunch of Mt Gox users will now have it. Whcih is why I feel the need to use: :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( Title: Re: MtGox_client.exe Post by: bradminer on June 20, 2011, 12:46:10 PM I think it is useful for all to upload this file to AV companies to update signatures as soon as possible.....
I've gmail account so their filters on .exe files blocked it.... i think Title: Re: MtGox_client.exe Post by: mandros on June 20, 2011, 01:08:34 PM Anyone have this file, I wish to download it. Don't question my wanting, please if you have the file upload it to mediafire I wish to take a look at it. Here you have it: http://www.megaupload.com/?d=VWNREX2X It's zipped with password: virus It's also renamed with extension .virus so no one can execute it by accident. I received it on my yahoo email account and as of right now it still let me download it without detecting it as a virus. Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 20, 2011, 01:14:49 PM Anyone have this file, I wish to download it. Don't question my wanting, please if you have the file upload it to mediafire I wish to take a look at it. Here you have it: http://www.megaupload.com/?d=VWNREX2X It's zipped with password: virus It's also renamed with extension .virus so no one can execute it by accident. I received it on my yahoo email account and as of right now it still let me download it without detecting it as a virus. I've posted it aswell :) Title: Re: MtGox_client.exe Post by: Boing7898 on June 20, 2011, 01:19:59 PM I got another malware called Bitcoin-exploit.. if someone wants I'll post it here.
It is an AutoIt script (thanks BinText) Quote Dear Mt.Gox user, There has recently been a private new Bitcoin exploit program released that duplicates transaction fee's from the previous thousands of transactions and sends the BTC to your address. We're well aware that many Mt. Gox users have lost their Bitcoins due to the security breaches on our website in the last few days, so we decided it would be fair for those users to recoup at least some of their losses: You may check out the exploit here : URLOFINFECTEDSHIT **Please read the enclosed tutorials prior to running the program for instructions.** This is our way of apologizing to our users for the massive problems we've been experiencing as of late, including the users who have lost alot of BTC over the past few days Thanks, The Mt.Gox team BIG EDIT: IN THE SAME SERVER THERE WAS SPYEYE!! Spyeye is a bot that STEALS CREDIT CARDS!! Clean your PC now, if you don't want to get your credit card stealed. Title: Re: MtGox_client.exe Post by: mandros on June 20, 2011, 01:47:07 PM Anyone have this file, I wish to download it. Don't question my wanting, please if you have the file upload it to mediafire I wish to take a look at it. Here you have it: http://www.megaupload.com/?d=VWNREX2X It's zipped with password: virus It's also renamed with extension .virus so no one can execute it by accident. I received it on my yahoo email account and as of right now it still let me download it without detecting it as a virus. I've posted it aswell :) Oops, my fault. By the way, do you have any spare glasses ? ;-) Title: Re: MtGox_client.exe Post by: netrin on June 21, 2011, 12:37:32 AM Does this virus send bitcoins to an address or just upload the entire wallet to an email address or what? There are probably a bunch of variations out in the wild, but is there ONE address worth looking at in the block chain? url?
Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 12:55:02 AM Does this virus send bitcoins to an address or just upload the entire wallet to an email address or what? There are probably a bunch of variations out in the wild, but is there ONE address worth looking at in the block chain? url? It doesn't steal anything, it is a HTTP Rat. Just means the hacker can control your computer through a website. Title: Re: MtGox_client.exe Post by: aceman1011 on June 21, 2011, 12:59:43 AM Lol, I am quite experienced in the malware field.
Looks like some skids learned to use the leaked Zeus code and a crypter... I'll check this out in NET Reflector and see if I can't reverse engineer this skiddy. Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 01:04:48 AM Lol, I am quite experienced in the malware field. Looks like some skids learned to use the leaked Zeus code and a crypter... I'll check this out in NET Reflector and see if I can't reverse engineer this skiddy. HAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH AAAAAAAAAAAAAAAAAAAAAAHAHAHHAHAHAHHAHAHAHAHAHAHHAAHAHAHAHHAHAHAHAHAHAHAHAHHAHAH AHAHA MAAHHDFSDGHouar589yh4uigre9uiter That is what I think about your statement. First little kid, the file is written in C++ and uses port 80 to communicate to the site. I thought it was a stealer until I tracked the IP down to the site. I found the control panel, sql injected to find the username and password. It is a HTTP RAT and the control panel has 9k RATS. This is not Zeus kid and this is not a fucking crypter. It has crypted ST/RT and made a directory in C:\ under the name of win.bin or some shit like that. I already decompiled this virus and got everything out of it. I took down his site and now the game is over. You're to late, please take your kid shit somewhere else. P.S. I like it how you think by saying "Zeus" and "Lol, I am quite experienced in the malware field." makes you some kind of god. Edit: I made a thread about it and it got taken down by mobs. Title: Re: MtGox_client.exe Post by: aceman1011 on June 21, 2011, 01:11:43 AM Lol, you don't know crap. You first say it's a RAT, then a botnet. You claim to have used SQLi on a control panel with 9000 "rats." Hate to break it to ya, but it was probably uBot, umbrella loader, vertexnet, or Blackshades. You are full of BS, and yea you MUST crypt the output of HTTP, Hexing won't work on it. It wouldn't be FUD for a day. GTFO. You're so l33t! Wow, you know what scantime and runtime means...
Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 01:15:20 AM Lol, you don't know crap. You first say it's a RAT, then a botnet. You claim to have used SQLi on a control panel with 9000 "rats." Hate to break it to ya, but it was probably uBot, umbrella loader, vertexnet, or Blackshades. You are full of BS, and yea you MUST crypt the output of HTTP, Hexing won't work on it. It wouldn't be FUD for a day. GTFO. You're so l33t! Wow, you know what scantime and runtime means... Okay kid. Here is a ss of the old thread from yesterday the mods closed down. Now, you GTFO kid. Thread: Proof: You were saying dick? Title: Re: MtGox_client.exe Post by: aceman1011 on June 21, 2011, 01:20:34 AM Lol, you don't know crap. You first say it's a RAT, then a botnet. You claim to have used SQLi on a control panel with 9000 "rats." Hate to break it to ya, but it was probably uBot, umbrella loader, vertexnet, or Blackshades. You are full of BS, and yea you MUST crypt the output of HTTP, Hexing won't work on it. It wouldn't be FUD for a day. GTFO. You're so l33t! Wow, you know what scantime and runtime means... Okay kid. Here is a ss of the old thread from yesterday the mods closed down. Now, you GTFO kid. Thread: Proof: You were saying dick? Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 01:22:08 AM Lol, you don't know crap. You first say it's a RAT, then a botnet. You claim to have used SQLi on a control panel with 9000 "rats." Hate to break it to ya, but it was probably uBot, umbrella loader, vertexnet, or Blackshades. You are full of BS, and yea you MUST crypt the output of HTTP, Hexing won't work on it. It wouldn't be FUD for a day. GTFO. You're so l33t! Wow, you know what scantime and runtime means... Okay kid. Here is a ss of the old thread from yesterday the mods closed down. Now, you GTFO kid. Thread: Proof: You were saying dick? Actually VertexNet does work. I'm using it as of right now to see what it is all about. I even tested it on myself. Kid, you really need to start testing and learning. Title: Re: MtGox_client.exe Post by: aceman1011 on June 21, 2011, 01:27:32 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF?
Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 01:33:08 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 21, 2011, 01:33:51 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 01:49:40 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 21, 2011, 01:50:57 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 02:01:22 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there. Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 21, 2011, 02:13:05 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there. ha, if you say so. Title: Re: MtGox_client.exe Post by: aceman1011 on June 21, 2011, 02:25:32 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there. ha, if you say so. From what you've said, you're the one who still uses HF. Why would you even start posting? Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 21, 2011, 02:31:49 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there. ha, if you say so. From what you've said, you're the one who still uses HF. Why would you even start posting? I havn't been on HF in over 2 years. I'm not a blackhat. Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 02:32:07 AM I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF? I only use the VertexNet temp and then I move them to CG. I'm on both forums. Ok guys, take your hacker talk somewhere else. You know you like it ::). Maybe, but no offence, from what I've seen you are both skids. Go talk on HF. Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there. ha, if you say so. Go search my username on HF. Not lieing. Title: Re: MtGox_client.exe Post by: SomeoneWeird on June 21, 2011, 02:36:49 AM Good luck staying unbanned on this forum.
Title: Re: MtGox_client.exe Post by: jhfire on June 21, 2011, 02:39:30 AM Good luck staying unbanned on this forum. I can always sign back up. I have 2 wifi spots + VPN. lol |