Warning: DO NOT CLICK LINK IN PRIVATE MESSAGES

[jimbo77]

Just got a warning that I somehow broke forum rules. Looks like a picture link or screenshot. Virus tries to get on computer!

[slothbag]

Yeah, I just got this message also.

I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead.

No doubt that sucker is going straight for your wallet.dat

People will loose coins from this!

[jimbo77]

Yeah, I just got this message also.

I consider myself fairly tech savvy and usually detect these scams, but this looks legit and I clicked the link, lucky my email client opened the exe as a text file instead.

No doubt that sucker is going straight for your wallet.dat

People will loose coins from this!

Anyone know the details about this particular one to make sure it's completely removed. My virus scanner found something but I want to make sure it got it all!!

[slothbag]

If you ran the program or suspect your pc has been compromised, I would recommend creating a new wallet on a different computer and transfer all your coins to the new address immediately.

[ukbitco.in]

If you clicked this link and have bitcoin running, or a wallet.dat somewhere on your computer, be quick!

Disconnect computer from the internet immediately!!!!!! (so virus cannot communicate)

Take your wallet.dat with you, find another computer and create a new wallet.

Send coins to new address.

[caveden]

This is big. Shouldn't this topic be sticked for a while?

[riX]

Could someone post a copy of the .exe for investigation?
Put it in an archive so no one accidentally runs it.

[TheVirus]

This is big. Shouldn't this topic be sticked for a while?

A fool and his money are soon parted. If people are silly enough to click on fake/malicious links then they should take that as a lesson and learn from their mistakes. This is a big flaw in the Bitcoin system and there's no easy way to fix it. Even an encrypted wallet would mean nothing if the wallet is open and the password is stored in memory.

[gst]

This is a big flaw in the Bitcoin system and there's no easy way to fix it.

No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault.

[jimbo77]

I'm not an idiot. I didn't click run or save. I thought it was a picture file so I cliked it. Without a warning other will click it!!!!

Text:

Hello

Statements which should not be generally offensive, be excessively repeated or have bad formatting (spam), contain forbidden advertising or political or religious views, not be non-English when English is required, disclose personal data of others, or support any other rule violation.

Proof can be seen at:
http://xxxxxxxxx(added)images4u.hostil.pl/DS***054.jpg

One more warning and your account might be banned.

From Moonshadow~

I saw Moonshadow but didn't really look at the post count.

[TheVirus]

This is a big flaw in the Bitcoin system and there's no easy way to fix it.

No - that's not a flaw in Bitcoin. Bitcoin works perfectly fine. If you execute untrusted code on a computer that you use for financial transactions it's your own fault.

Not every exploit requires user intervention. There are remote exploits that can be run from an open service or from browsing a website and not clicking anything. It's not hard to grab an IE 6/7/8 JS exploit and run a website with it embedded in there. The user wouldn't notice anything and wouldn't need to click anything. In fact, said exploit can be run from any website, even bitcoin.org if it were hacked. The fact that wallets can be read from without user intervention is an issue and the fact that you can send money from the command line is another issue.

[Nescio]

Another one: do not click on any URL shortened link, that also goes for forum posts. It might almost immediately open a legit site, but go through an intermediate infectious redirect.

[Amechan]

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?

[TheVirus]

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?

Yes, a quick hex edit of the file shows it reads wallet.dat.

[Amechan]

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?

Yes, a quick hex edit of the file shows it reads wallet.dat.

Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here?

[TheVirus]

Sorry I posted about this as well before I saw this thread.

The information I gathered is here:

http://forum.bitcoin.org/index.php?topic=17373.0

Jimbo said that he caught a W32.Induc.A trojan.

But from what I can tell is that is a very specific delphi altering script.
Would that only be targeting bitcoin developers?

Yes, a quick hex edit of the file shows it reads wallet.dat.

Meaning that it would only be useful for stealing wallet.dat files from people who use the new software compiled in delphi or are more people at risk here?

Right, it emails wallet.dat to:

gaehrthsrth@wp.pl
blundcoder@hotmail.com

[Amechan]

Thanks for the information.

Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised.
How easily would anti-virus programs detect such a virus complied accidentally in a new program?

[ius]

Actually, the first (wp.pl) address is used to send the wallet (via their SMTP server) - you can send your fan mail to blundcoder@hotmail.com.

The good news is that the password for the SMTP server doesn't seem to work anymore - ie. noone should be at risk anymore (unless you already opened it before).

At least the second time this guy strikes, earlier he promised a miner with increased efficiency. Please stay alert, I'm sure he'll back back (sadly).

[TheVirus]

Thanks for the information.

Interesting approach. It nice to know that the vast majority of users here who may have accidentally clicked on the link won't be affected. However it is disturbing to think that future miner GUI's or similar programs may be compromised.
How easily would anti-virus programs detect such a virus complied accidentally in a new program?

Very easy.

Here's the report: http://www.virustotal.com/file-scan/report.html?id=fe4aab0c8e62e3a2a285f9a4a1c7cb8f10fa97fe655ea7aa0b2f71d3e6ff94ca-1308154827

Also, it seems it uses the @wp.pl account as an SMTP relay to send the email to blundcoder@hotmail.com. The @wp.pl account password has been changed (it was in plain text in the virus file) so this virus is now useless as it can no longer send email, it'd just fail to log in.

[TheVirus]

Here's some more info after a bit of digging:

blundcoder@hotmail.com uses a polish phrase for his security question.
Searching 'blundcoder' returns results from various hacking forums.
One forum post by "BBOYMARIO" has blundcoder@wp.pl in his signature.
BBOYMARIO leads to a mySpace page by someone in Germany named Mario Basta. (Germany and Poland are neighboring countries)

That's all I got.