Bitcoin Forum

Anyone have this file, I wish to download it. Don't question my wanting, please if you have the file upload it to mediafire I wish to take a look at it.

I did actually decompile it. Here is proof as well as a thread mob closed.

Thread:



Proof:

Just so everyone is clear, this is a virus.

I do understand this, I am experienced in the virus field. I wish to decompile and find out more information about it, can someone please download it and upload it. DON'T OPEN IT! A virus can only be harmful if you open it.

I'd love a copy to load up into IDA as well.

Does anyone have a damn copy? Stop being a pussy and please upload it. If you can get me that file I can get the hacker.

"hay guiz, can som1 giv me teh v1rus so I can h3xedit mi acc0unt informashunz n2 it?"

You haten son?

When you change the information and link it to your account, there will be some other noob that goes "haaay look!! I found th mt gox hax0r!!"

I had a feeling this was a virus, but just out of sheer curiosity I first scanned it with MSE and then opened it. No antivirus detects it as a virus, so how can I clean myself?

I haven't started mining yet and have no coins in the wallet, but how would I make sure my machine is clean before I do?

Wow.

It won't detect as a virus because its brand new. You are infected. Maybe someone will reverse engineer it and you figure out how to clean it up at a later date.
Until then your machine is compromised and possibly every account you have accessed from it.
Scrap the machine. Change the password to all your accounts.

to first poster:
If you still need the File, please send me your Email/Trashmail/Something via PM. I wont upload/download it.


greets

https://rapidshare.com/files/4215500226/MtGox_client.zip

Warning, this file is a VIRUS. DO NOT RUN IT. Password: virus

I just found out there is an executable called xXXCFEA.exe that has outgoing connections from my machine and it disappears from the Task Manager list when I close the Bitcoin.exe:

[xXXCFEA.exe]
 TCP    127.0.0.1:58531        Black:58530            ESTABLISHED
[xXXCFEA.exe]
 TCP    192.168.1.105:54354    giraffe:6667           ESTABLISHED
[bitcoin.exe]
 TCP    192.168.1.105:56397    www:https              CLOSE_WAIT
[xXXCFEA.exe]
 TCP    192.168.1.105:59214    mx1:imap               ESTABLISHED

It's located in
C:\Users\CYPER\AppData\Local\Temp

I bet that's part of the virus.
Do you think the virus is so sophisticated that it can extract all of my saved passwords from Firefox for example?

Assume it is. You need to wipe that machine and check anything else on your network.

http://www.virustotal.com/file-scan/report.html?id=b8e42f50c70c37967f5a89b556f732ba5e7f6d3a1e1a6d4dcd225f85ebf26963-1308572546

:( No detections

As we've said, it's a new virus, so the AV's won't have a signature for it yet.

Which means a bunch of Mt Gox users will now have it. Whcih is why I feel the need to use:

 :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'(

I think it is useful for all to upload this file to AV companies to update signatures as soon as possible.....

I've gmail account so their filters on .exe files blocked it.... i think

Here you have it:
http://www.megaupload.com/?d=VWNREX2X

It's zipped with password: virus

It's also renamed with extension .virus so no one can execute it by accident.

I received it on my yahoo email account and as of right now it still let me download it without detecting it as a virus.

I've posted it aswell :)

I got another malware called Bitcoin-exploit.. if someone wants I'll post it here.
It is an AutoIt script (thanks BinText)


BIG EDIT: IN THE SAME SERVER THERE WAS SPYEYE!! Spyeye is a bot that STEALS CREDIT CARDS!!
Clean your PC now, if you don't want to get your credit card stealed.

Oops, my fault. By the way, do you have any spare glasses ? ;-)

Does this virus send bitcoins to an address or just upload the entire wallet to an email address or what? There are probably a bunch of variations out in the wild, but is there ONE address worth looking at in the block chain? url?

It doesn't steal anything, it is a HTTP Rat. Just means the hacker can control your computer through a website.

Lol, I am quite experienced in the malware field.
Looks like some skids learned to use the leaked Zeus code and a crypter... I'll check this out in NET Reflector  and see if I can't reverse engineer this skiddy.

HAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHHAHAHAHAHAHAHAHAHAHAHAHAHAHAHAH AAAAAAAAAAAAAAAAAAAAAAHAHAHHAHAHAHHAHAHAHAHAHAHHAAHAHAHAHHAHAHAHAHAHAHAHAHHAHAH AHAHA

MAAHHDFSDGHouar589yh4uigre9uiter

That is what I think about your statement. First little kid, the file is written in C++ and uses port 80 to communicate to the site. I thought it was a stealer until I tracked the IP down to the site. I found the control panel, sql injected to find the username and password. It is a HTTP RAT and the control panel has 9k RATS.

This is not Zeus kid and this is not a fucking crypter. It has crypted ST/RT and made a directory in C:\ under the name of win.bin or some shit like that. I already decompiled this virus and got everything out of it. I took down his site and now the game is over. You're to late, please take your kid shit somewhere else.

P.S. I like it how you think by saying "Zeus" and "Lol, I am quite experienced in the malware field." makes you some kind of god.

Edit: I made a thread about it and it got taken down by mobs.

Lol, you don't know crap. You first say it's a RAT, then a botnet. You claim to have used SQLi on a control panel with 9000 "rats." Hate to break it to ya, but it was probably uBot, umbrella loader, vertexnet, or Blackshades. You are full of BS, and yea you MUST crypt the output of HTTP, Hexing won't work on it. It wouldn't be FUD for a day. GTFO. You're so l33t! Wow, you know what scantime and runtime means...

Okay kid. Here is a ss of the old thread from yesterday the mods closed down. Now, you GTFO kid.

Thread:


Proof:


You were saying dick?

Lol, VertexNet 1.1 doesn't even work. The maker even told me. Ask Unremote on HF or Twitter. Neither does 1.0 beta or 1.2. And why would you include Spyeye Tracker? Add Symantec field info....

Actually VertexNet does work. I'm using it as of right now to see what it is all about. I even tested it on myself. Kid, you really need to start testing and learning.

I have, I added tons of vics on it but the commands suck and don't work. You on openwsc or HF?

I only use the VertexNet temp and then I move them to CG. I'm on both forums.

Ok guys, take your hacker talk somewhere else.

You know you like it ::).

Maybe, but no offence, from what I've seen you are both skids. Go talk on HF.

Cool story bro, but usually when someone uses the term skid they are the true skid. I don't go on HF, I only sell there.

ha, if you say so.

From what you've said, you're the one who still uses HF. Why would you even start posting?

I havn't been on HF in over 2 years. I'm not a blackhat.

Go search my username on HF. Not lieing.

Good luck staying unbanned on this forum.

I can always sign back up. I have 2 wifi spots + VPN.

lol