Bitcoin Forum

Alternate cryptocurrencies => Altcoin Discussion => Topic started by: btcusury on March 12, 2014, 06:35:45 PM


Title: Wallet stealer in MouseCoin-qt.exe
Post by: btcusury on March 12, 2014, 06:35:45 PM
A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014年2月13日18时45分.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).

Checking the file's last modified date and looking at the Prefetch directory, I determined that this file was created after running mousecoin-qt.exe or Mouse.exe (contained in the downloaded MouseCoin-Qt1.0.0.0_Win.rar). He downloaded that from the official site on 13 Feb 2014, linked to from the Bitcointalk announcement thread. When opened, mousecoin-qt.exe generates a hidden VBS file (tem.vbs), but this file in itself is innocent, cointaining just these four lines:

Code:
  Dim fso
  Set fso = CreateObject("Scripting.FileSystemObject")
  fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\mousecoin-qt.exe")
  fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\tem.vbs")

So the wallet-stealing code is contained in mousecoin-qt.exe itself, and the VBS file is used to delete itself. I haven't gone so far as to check where the .zip file with the wallets is sent, but if anyone is interested let me know.

As of today, the "official" MouseCoin sites (mousecoin.net and mouseco.in) return a 404, and the announcement thread has been renamed to "[ANN]New Coin MouseCoin ,yep,i m Jerry ! (https://bitcointalk.org/index.php?topic=405820.0)", and some Russian users appear to have posted over the last several weeks for the purpose of bumping the thread.

TL;DR: MouseCoin steals all your cryptocoin wallets! Had my friend not password-protected his wallets, they'd have all been wiped instantaneously.

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: substratum on March 13, 2014, 02:09:34 AM
Quote from: btcusury on March 12, 2014, 06:35:45 PM
A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014年2月13日18时45分.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).

The filename isn't Russian, it's a date/time in Chinese. The trojan sends the wallet files to 23.239.111.68 on TCP port 12730. That IP is assigned to a "Wei Cheng":

Code:
[support.gorillaservers.com]
%rwhois V-1.0,V-1.5:00090h:00 support.gorillaservers.com (Ubersmith RWhois Server V-2.4.0)
autharea=23.239.96.0/19
xautharea=23.239.96.0/19
network:Class-Name:network
network:Auth-Area:23.239.96.0/19
network:ID:NET-2827.23.239.111.64/27
network:Network-Name:23.239.111.64/27
network:IP-Network:23.239.111.64/27
network:IP-Network-Block:23.239.111.64 - 23.239.111.95
network:Org-Name:cheng, wei

That IP was also listed as a static node in the QT configuration file for JunnonCoin, a Chinese altcoin:

https://bitcointalk.org/index.php?topic=413045.0 (https://bitcointalk.org/index.php?topic=413045.0)

I'm going to go ahead and say this is a Chinese wallet-stealing operation, not Russian.

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: substratum on March 13, 2014, 02:27:22 AM
Just verified that the Win32 JunnonCoin-Qt client posted in the thread I linked to above is also the same malware.

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: Deslock Darkstar on March 13, 2014, 02:41:52 PM
Well, that settles it then..... Mousecoin is deader than a drowned rat.

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: Snail2 on March 13, 2014, 03:49:14 PM
Nice find :).

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: btcusury on March 13, 2014, 07:23:22 PM
Great research, substratum, thanks.

So it's not that someone hacked a server and replaced legitimate cryptocoin-qt with a trojan-infected one, this is an operation by the authors of these altcoins themselves.

I wonder how successful they've been in stealing money this way...

Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: cryptohunter on March 13, 2014, 07:48:31 PM
so even scanning with virus total would not have revealed this?


Title: Re: Wallet stealer in MouseCoin-qt.exe
Post by: substratum on March 14, 2014, 10:47:30 AM
Quote from: cryptohunter on March 13, 2014, 07:48:31 PM
so even scanning with virus total would not have revealed this?


This one had a few detects in VirusTotal but I think one problem is that there always seem to be a few false-positive detections on all Qt wallets, so people are being trained to ignore VirusTotal results for new altcoins even when they are true-positive.

It's just downright crazy to run a program downloaded from this forum on a machine where your other important files (i.e. wallets) are stored. If you want to beat everyone else to jump on the latest coin or whatever, use a separate VM for each wallet until its code is shown to be trustworthy. And if for some reason it doesn't run in a VM, that's probably a good sign it's malware.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines