Bitcoin Forum

I've been running Electrum for a long time, but this is the first time I've had my antivirus block it for trying to connect to a "risky destination."

The URL it tried to connect to begins with electrumx and ends with dot info. According to my research, this URL is associated with malware.

Electrum has never given me trouble before, so I'm pretty sure I installed a legitimate copy. The malware probably originated elsewhere and infected my Electrum. Any idea what malware it is and what I should do about it?

(P.S. My wallet is watch-only, so there's no great risk at the moment.)

I am using version 4.5.2 and I clicked on 'check for update' and it showed me to https://electrum.org/#download and indicated also that the latest version is 4.5.3 which is normal.

I clicked also on official website also from 'help' and it directed me to https://electrum.org/ which is the original office site.

Make sure that you are using the original Electrum and make sure you update it always.

You do not go to the fake URL and so no problem. Just download or update electrum only from the official website. https://electrum.org/

How are you sure that you installed a legitimate copy? Did you verify it?
If you verified it with the GPG tool and the public key provided from the Electrum download page then you are safe.  

About the antivirus, if it's just a server then you can change it on the Electrum tools>network and uncheck the "select server automatically" and choose other server that you know safe.

I'm pretty sure I did all that, but it's been so long I can't be 100% sure. It turns out I'm running an old version of Electrum, though, so I'll update and check again.

In my old version, when I went to Tools>Network, the electrumx dot info URL showed up under "Other known servers." After updating to the current version, however, it's no longer there. So either malware added the URL to my servers list, or it was at one time a legitimate network.

Firstly, before any recommendations, I will like to ask if you could possibly recollect where and how you download  your electrum wallet
Guthub repo., website. Also could you recollect if  you used a tor network or dark web  for the download because  there could possibly  be a website hosting  a Website which might had almost the same hostname with their website then.

Lastly, have you ever made transaction using that very electrum wallet

The original creator of ElectrumX forked it off in preference of BCH. The server you mentioned was one that supported BCH not BTC.
*BUT* that was years and years ago. No idea what has happened since. The domain might have dropped and someone re-registered it to serve malware.

So long as you did not connect and it's no longer in the list of servers, it's not a large concern.

-Dave

I was still running Electrum 4.2 (woops), which I downloaded in 2022. I think your explanation may be correct, that the domain used to be legitimate, was still included in Electrum 4.2's server list, and is now flagged as malicious by antivirus programs. I didn't connect to the URL, and my wallet is watch-only, so I don't think any harm was done. But if malware added the network to my server list, then I may still have something on my computer that I need to clean up.

To answer promise's questions: I downloaded Electrum 4.2.2 from electrum.org in June, 2022. I verified the keys to the best of my ability. I wasn't using Tor or the dark web at the time.

Electrum 4.2 is an old version of Electrum this might be the reason why the Antivirus was triggered why don't you try upgrading Electrum to the latest version 4.5.3?

Since it's just a watch-only wallet it won't get any harm to your wallet but if your system is infected or the wallet is fake then anytime they can manipulate Electrum wallet to generate a raw transaction for an offline transaction that contains their wallet BTC address. So, it is better to uninstall this old version of Electrum wallet and use the latest version make sure to verify it first before you install it for safety purposes and make sure you have a separate wallet for your offline wallet.

If you doubt that the current PC is infected then you will need to reinstall a fresh OS and reformat the PC for safety purposes.

The Electrum server your wallet was trying to connect to is just an online server that might be used to run different programs which some of them might be harmful. So, there are many possibilities why that server was flagged as suspicious by your AV and blocked the access to it.
Since there are no reports about a vulnerability that may allow an Electrum server when connected to it to infect your device with malwares then I believe you are fine and there is nothing to worry about. But you did the right thing by updating your wallet to the latest version (better be safe than sorry).

I assume that your problem is connecting to this server or a similar server.


It was reported a few days ago due to not configure SSL certificate (Error code: SSL_ERROR_BAD_CERT_DOMAIN) or a similar error, so the antivirus gives an error like "risky destination."

The solution is simple, which is to change your electrum server. Switch to the overview tab, will find an option to choose the server automatically, remove this option and search for a random server, connecting using it and check antivirus log until this error stops.

It is not a problem related to downloading an unofficial wallet, but rather connecting to the Electrum server. In this case, the antivirus acted as a firewall.

Updating Electrum has nothing to do with it, unfortunately.
Electrum fetches those other non-hardcoded servers from the main server that you're connected to, it happens that it's included in the list after your client queried for other servers.
I've checked the server that you've mentioned (electrumx[dot]info) and it is offline just recently and may come back online again.

Regardless if it's false-positive or not; apart from privacy concerns if it's auto-selected as your main server,
I don't think it can do any significant harm to your machine or wallet with the version of Electrum that you'd been using.
At least keep it blocked by your AV if you trust your AV's heuristics or don't trust the server.