Bitcoin Forum
December 10, 2016, 08:51:15 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES  (Read 14444 times)
jimbo77
Member
**
Offline Offline

Activity: 78


View Profile
June 15, 2011, 02:06:44 PM
 #1

Just got a warning that I somehow broke forum rules. Looks like a picture link or screenshot. Virus tries to get on computer!
1481359875
Hero Member
*
Offline Offline

Posts: 1481359875

View Profile Personal Message (Offline)

Ignore
1481359875
Reply with quote  #2

1481359875
Report to moderator
1481359875
Hero Member
*
Offline Offline

Posts: 1481359875

View Profile Personal Message (Offline)

Ignore
1481359875
Reply with quote  #2

1481359875
Report to moderator
1481359875
Hero Member
*
Offline Offline

Posts: 1481359875

View Profile Personal Message (Offline)

Ignore
1481359875
Reply with quote  #2

1481359875
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481359875
Hero Member
*
Offline Offline

Posts: 1481359875

View Profile Personal Message (Offline)

Ignore
1481359875
Reply with quote  #2

1481359875
Report to moderator
1481359875
Hero Member
*
Offline Offline

Posts: 1481359875

View Profile Personal Message (Offline)

Ignore
1481359875
Reply with quote  #2

1481359875
Report to moderator
slothbag
Sr. Member
****
Offline Offline

Activity: 369



View Profile
June 15, 2011, 02:17:47 PM
 #2

Yeah, I just got this message also.

I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead.

No doubt that sucker is going straight for your wallet.dat

People will loose coins from this!
jimbo77
Member
**
Offline Offline

Activity: 78


View Profile
June 15, 2011, 02:19:38 PM
 #3

Yeah, I just got this message also.

I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead.

No doubt that sucker is going straight for your wallet.dat

People will loose coins from this!


Anyone know the details about this particular one to make sure it's completely removed. My virus scanner found something but I want to make sure it got it all!!
slothbag
Sr. Member
****
Offline Offline

Activity: 369



View Profile
June 15, 2011, 02:24:41 PM
 #4

If you ran the program or suspect your pc has been compromised, I would recommend creating a new wallet on a different computer and transfer all your coins to the new address immediately.


ukbitco.in
Jr. Member
*
Offline Offline

Activity: 30


View Profile
June 15, 2011, 03:57:21 PM
 #5

If you clicked this link and have bitcoin running, or a wallet.dat somewhere on your computer, be quick!

Disconnect computer from the internet immediately!!!!!! (so virus cannot communicate)

Take your wallet.dat with you, find another computer and create a new wallet.

Send coins to new address.



caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
June 15, 2011, 04:00:13 PM
 #6

This is big. Shouldn't this topic be sticked for a while?

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
riX
Sr. Member
****
Offline Offline

Activity: 327



View Profile
June 15, 2011, 04:03:32 PM
 #7

Could someone post a copy of the .exe for investigation?
Put it in an archive so no one accidentally runs it.

TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 04:04:53 PM
 #8

This is big. Shouldn't this topic be sticked for a while?

A fool and his money are soon parted. If people are silly enough to click on fake/malicious links then they should take that as a lesson and learn from their mistakes. This is a big flaw in the Bitcoin system and there's no easy way to fix it. Even an encrypted wallet would mean nothing if the wallet is open and the password is stored in memory.

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
gst
Jr. Member
*
Offline Offline

Activity: 38


View Profile
June 15, 2011, 04:08:43 PM
 #9

This is a big flaw in the Bitcoin system and there's no easy way to fix it.

No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault.
jimbo77
Member
**
Offline Offline

Activity: 78


View Profile
June 15, 2011, 04:11:35 PM
 #10

I'm not an idiot. I didn't click run or save. I thought it was a picture file so I cliked it. Without a warning other will click it!!!!

Text:

Hello

Statements which should not be generally offensive, be excessively repeated or have bad formatting (spam), contain forbidden advertising or political or religious views, not be non-English when English is required, disclose personal data of others, or support any other rule violation.

Proof can be seen at:
http://xxxxxxxxx(added)images4u.hostil.pl/DS***054.jpg

One more warning and your account might be banned.

From Moonshadow~

I saw Moonshadow but didn't really look at the post count.
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 04:17:26 PM
 #11

This is a big flaw in the Bitcoin system and there's no easy way to fix it.

No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault.

Not every exploit requires user intervention. There are remote exploits that can be run from an open service or from browsing a website and not clicking anything. It's not hard to grab an IE 6/7/8 JS exploit and run a website with it embedded in there. The user wouldn't notice anything and wouldn't need to click anything. In fact, said exploit can be run from any website, even bitcoin.org if it were hacked. The fact that wallets can be read from without user intervention is an issue and the fact that you can send money from the command line is another issue.

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
Nescio
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 15, 2011, 04:25:14 PM
 #12

Another one: do not click on any URL shortened link, that also goes for forum posts. It might almost immediately open a legit site, but go through an intermediate infectious redirect.
Amechan
Member
**
Offline Offline

Activity: 104


Spreading Bitcoin love


View Profile WWW
June 15, 2011, 04:31:50 PM
 #13

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?

Selling goods from Japan for BTC. http://www.cheaplightning.com
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 04:33:22 PM
 #14

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?


Yes, a quick hex edit of the file shows it reads wallet.dat.

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
Amechan
Member
**
Offline Offline

Activity: 104


Spreading Bitcoin love


View Profile WWW
June 15, 2011, 04:38:19 PM
 #15

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?


Yes, a quick hex edit of the file shows it reads wallet.dat.

Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here?

Selling goods from Japan for BTC. http://www.cheaplightning.com
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 04:53:44 PM
 #16

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?


Yes, a quick hex edit of the file shows it reads wallet.dat.

Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here?


Right, it emails wallet.dat to:

gaehrthsrth@wp.pl
blundcoder@hotmail.com

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
Amechan
Member
**
Offline Offline

Activity: 104


Spreading Bitcoin love


View Profile WWW
June 15, 2011, 05:08:33 PM
 #17

Thanks for the information.

Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised.
How easily would anti-virus programs detect such a virus complied accidentally in a new program?


Selling goods from Japan for BTC. http://www.cheaplightning.com
ius
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 15, 2011, 05:16:16 PM
 #18

Actually, the first (wp.pl) address is used to send the wallet (via their SMTP server) - you can send your fan mail to blundcoder@hotmail.com.

The good news is that the password for the SMTP server doesn't seem to work anymore - ie. noone should be at risk anymore (unless you already opened it before).

At least the second time this guy strikes, earlier he promised a miner with increased efficiency. Please stay alert, I'm sure he'll back back (sadly).

PGP: 0xCC06E446 Bitcoin: 19kdfgW1KXQgV7SCLEPAojtHxN9xotGkGH
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 05:18:05 PM
 #19

Thanks for the information.

Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised.
How easily would anti-virus programs detect such a virus complied accidentally in a new program?



Very easy.

Here's the report: http://www.virustotal.com/file-scan/report.html?id=fe4aab0c8e62e3a2a285f9a4a1c7cb8f10fa97fe655ea7aa0b2f71d3e6ff94ca-1308154827

Also, it seems it uses the @wp.pl account as an SMTP relay to send the email to blundcoder@hotmail.com. The @wp.pl account password has been changed (it was in plain text in the virus file) so this virus is now useless as it can no longer send email, it'd just fail to log in.

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
TheVirus
Member
**
Offline Offline

Activity: 84


View Profile
June 15, 2011, 05:28:21 PM
 #20

Here's some more info after a bit of digging:

blundcoder@hotmail.com uses a polish phrase for his security question.
Searching 'blundcoder' returns results from various hacking forums.
One forum post by "BBOYMARIO" has blundcoder@wp.pl in his signature.
BBOYMARIO leads to a mySpace page by someone in Germany named Mario Basta. (Germany and Poland are neighboring countries)

That's all I got.

Donations welcome: 1H8Pj3qYqfzxqgHzMLLsL6hWGEN88QLdkb
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!