kira4light (OP)
Newbie
Offline
Activity: 37
Merit: 0
|
|
July 04, 2013, 02:11:22 PM |
|
I believed a lot of guys posted on the "5 Bitcoin Independence Day Raffle !" https://bitcointalk.org/index.php?topic=246400.msg2612378I just received a PM this morning saying I win it. It says it's a private key. But I found out it is some MS-DOS program, which makes me cautious. So does everyone received a PM like this? If you do please let me know. I think the guy named 'legitnick' is a completely scam, so everyboy let's put a negative comment on his trust! https://bitcointalk.org/index.php?action=profile;u=35697Can anyone tell me what this little MS-DOS program (".5 btc bode rdeem@mtgox.com") is? Is a Trojans, virus or something? Does it put my wallet or private key in danger?
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
naphto
|
|
July 04, 2013, 02:25:23 PM |
|
Proof? Screenshot?
Seems a scam.
|
|
|
|
xeroc
|
|
July 04, 2013, 02:29:51 PM |
|
positive .. it's a scam .. received PM too
|
|
|
|
pedrog
Legendary
Offline
Activity: 2772
Merit: 1031
|
|
July 04, 2013, 02:30:17 PM |
|
Haha, I'm also a winner, well I guess everybody won! Phishing attempt: Redeem code at mtqox .net
|
|
|
|
cp1
|
|
July 04, 2013, 02:31:43 PM |
|
this is the list of winners i got pmed:
riazg princesshannah Transisto cp1 felix123 Obama juronimo albert speer hurro bachelor
Did everyone win a .com virus?
|
|
|
|
BitcoinBarrel
Legendary
Offline
Activity: 1961
Merit: 1020
Fill Your Barrel with Bitcoins!
|
|
July 04, 2013, 02:33:10 PM |
|
|
▄▄▄▄▄▄▄▄▄▄ ▄██████████████▄ ▄█████████████████▌ ▐███████████████████▌ ▄█████████████████████▄ ███████████████████████ ▐███████████████████████ ▐███████████████████████ ▐███████████████████████ ▐███████████████████████ ██████████████████████▀ ▀████████████████████▀ ▀██████████████████ ▀▀████████████▀▀
| .
| .....█ .....█ .....█ .....█ .....█ .....█ | | █ █ █ █ █ █ |
|
|
|
IIOII
Legendary
Offline
Activity: 1153
Merit: 1012
|
|
July 04, 2013, 03:32:19 PM |
|
If I remember correctly there was a very similar scam/phishing ongoing with alleged btc-e codes not long ago.
I would not be surprised if the same scamming entity is behind this "giveaway".
|
|
|
|
firstlast
|
|
July 04, 2013, 04:00:03 PM |
|
After explaining my problem I was pleasantly surprised by the outpouring of ridicule I received from members in the chat room. One guy who went by the name of "kjwallet" took his time and worked me through my problem, then was kind enough to scam me out of 30 bitcoins. After that event, I made a promise to myself that one day I would take back from the community in full.
|
|
|
|
P239
Newbie
Offline
Activity: 14
Merit: 0
|
|
July 04, 2013, 04:59:04 PM |
|
I hate to be a wet blanket, but ".5 btc bode rdeem@mtgox.com" looks like a description (of the key file?) ending in an email address, which, obviously will end in .com ... many Windows computers may confuse this to be an old "MS DOS" COM executable file.. if you forward the message/file to me I will take a look.. I'm on a Mac so I'm not worried about your silly virii & trojans.. (although i will still be careful )
|
|
|
|
jag2k2
Member
Offline
Activity: 62
Merit: 10
|
|
July 04, 2013, 05:52:56 PM |
|
reminds me of that 10btc giveaway we had a few months ago.
|
I believe that banking institutions are more dangerous to our liberties than standing armies... The issuing power should be taken from the banks and restored to the people, to whom it properly belongs. - Thomas Jefferson
|
|
|
colinistheman
|
|
July 04, 2013, 06:17:33 PM |
|
I got scammed by him with this too. Good thing i didn't run any program
|
|
|
|
bitcoinstarter
|
|
July 04, 2013, 06:20:26 PM |
|
reminds me of that 10btc giveaway we had a few months ago.
This ^^ . These guys are back with a scam!
|
|
|
|
tarrant_01
|
|
July 04, 2013, 06:28:24 PM |
|
We'll see if robert5's 1 BTC give-away is a scam also.
|
1P95gCUCw3Tjb7yyoYtW3ARZZQyTpFgk6H
|
|
|
elebit
|
|
July 04, 2013, 06:36:03 PM |
|
Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.
|
|
|
|
cp1
|
|
July 04, 2013, 06:40:13 PM |
|
Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.
It looks like the moderators deleted the PM he sent me, so I can't forward it to you.
|
|
|
|
kira4light (OP)
Newbie
Offline
Activity: 37
Merit: 0
|
|
July 04, 2013, 07:23:14 PM |
|
Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.
http://rghost.net/47200539?r=1096Please tell me what is inside. I actually clicked on the program... really anxious right now...
|
|
|
|
kira4light (OP)
Newbie
Offline
Activity: 37
Merit: 0
|
|
July 04, 2013, 07:23:40 PM |
|
I hate to be a wet blanket, but ".5 btc bode rdeem@mtgox.com" looks like a description (of the key file?) ending in an email address, which, obviously will end in .com ... many Windows computers may confuse this to be an old "MS DOS" COM executable file.. if you forward the message/file to me I will take a look.. I'm on a Mac so I'm not worried about your silly virii & trojans.. (although i will still be careful ) http://rghost.net/47200539?r=1096Please tell me what is inside. I actually clicked on the program... really anxious right now...
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3248
Merit: 4110
|
|
July 04, 2013, 07:28:48 PM |
|
It's a scam. It's very obvious. That's why I don't allow any java script or anything to run until I know I can trust the site. Legitnick isn't so legit.
|
|
|
|
elebit
|
|
July 04, 2013, 07:40:31 PM |
|
Please tell me what is inside. I actually clicked on the program... really anxious right now...
It's a .net program. I don't have the proper tools to disassemble that, at least not for now. But if it is similar to what the other people got it's probably a dropper that downloads another program from somewhere and executes it. So it's impossible to know what that program does unless you actually get hold of it and look at it, but most probably it would be some sniffer and/or rootkit of some kind. If you want my professional advice it would be: Don't take any chances with this. The attacker could be a script kiddie and the malware possible to remove, but why risk it? Boot from a CD and back up any data you do not have previously backed up. Take special care to backup your bitcoin wallet and any password files you use. Wipe your system completely and reinstall your operating system. Take care not to reinstall anything executable from whatever backups to took after you got infected. Never run software from strangers on the Internet ever again. Unless you opened your wallet and entered your password after you run this malware, the attacker can not get hold of your coins. Consider this a lesson and yourself lucky under the circumstances. Never run software from strangers on the Internet ever again. And back up your data.
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3248
Merit: 4110
|
|
July 04, 2013, 07:44:41 PM |
|
Something like this happened before. But, a lot more people fell for it. I think the attacker got away with around 30 Bitcoins maybe more. It was valued at around $110-140 at the time, so it was a big blow.
After doing some research on legitnick, I realised that he has been pretty shady the last few posts he had made, to be honest I didn't really care about it, I knew it was a scam but couldn't call him out because it may of not of been.
|
|
|
|
chadtn
|
|
July 04, 2013, 08:26:19 PM |
|
I'm ashamed to say I fell for it. I thought it was a wallet file and accidentally clicked on it while I was trying to import the keys. I deleted the file and scanned my computer for problems. I thought I removed the problem and went to bed. I woke up about twenty minutes ago and saw my mouse moving by itself. Someone had messed with my firewall settings, opened up bitcoin-qt, and had just downloaded a file called _DVSoy.exe from plasmon.ghost.ru.
Chad
|
|
|
|
BitTrade
|
|
July 04, 2013, 08:53:09 PM Last edit: July 04, 2013, 09:04:39 PM by BitTrade |
|
Legitnick was 100% NOT hacked. Proof: the username "Obama" is one that he lists in every one of his phishing award PM's. Interestingly, in this thread, the username "obama" (likely operated by legitnick) made a post asking to buy other user names. legitnick "responded" to obama to offer his usernsme for $3.50 - likely to try to get others to do the same: https://bitcointalk.org/index.php?topic=238432.msg2525299#msg2525299This was long premeditated, folks. He also had hundreds of posts in only a few weeks, to raise his "activity" rating.
|
|
|
|
Welsh
Staff
Legendary
Offline
Activity: 3248
Merit: 4110
|
|
July 04, 2013, 08:55:09 PM |
|
Yes the account Obama I believe was up for sale a few weeks back. A perfect chance for someone to pick up a ready made account. However, Obama claimed to have won and received the Bitcoin in the games & rounds thread. Obviously a sock puppet.
|
|
|
|
elebit
|
|
July 04, 2013, 09:55:00 PM |
|
I thought I removed the problem and went to bed.
You "thought" you removed the problem. That's a guess. Please ask yourself if it's worth losing your bitcoins over? Do not _ever_ unlock your bitcoin wallet on a computer that has been under the control of someone else unless it has been thoroughly wiped since then.
|
|
|
|
David M
|
|
July 05, 2013, 12:15:02 AM |
|
Please tell me what is inside. I actually clicked on the program... really anxious right now...
It's a .NET 4 Windows Forms program that appears to be written in VB.NET It has been obfuscated but the decompiler picked up its GUID of 523e2cdb-4a0a-46e7-8ba1-e2037bb534de It appears to have a Soap call which is never a good sign. Matched as malware: https://malwr.com/analysis/MWZiNGFlZDNhNzZjNGNjMmE4NTc3NTQwYzJhYTQwM2M/
|
|
|
|
chadtn
|
|
July 05, 2013, 12:33:32 AM |
|
On my system the downloaded file opened up access to DarkComet RAT. They used that to remote onto my system to try installing other software. In the details of the file it downloaded Dell Datasafe was mentioned. It looks like a service similar to Dropbox.
Chad
|
|
|
|
Elwar
Legendary
Offline
Activity: 3598
Merit: 2384
Viva Ut Vivas
|
|
July 05, 2013, 01:00:24 AM |
|
Winners are as follows: Evolyn claycoins Elwar A Meteorite Jgguy Obama juronimo albert speer hurro bachelor My e-mail copy of it does not include the phishing link, the one on bitcointalk does.
|
First seastead company actually selling sea homes: Ocean Builders https://ocean.builders Of course we accept bitcoin.
|
|
|
Obama
Newbie
Offline
Activity: 28
Merit: 0
|
|
July 05, 2013, 02:50:46 AM |
|
lol wow what a dick
|
|
|
|
Cranky4u
|
|
July 05, 2013, 04:59:12 AM |
|
poon tang sha banga bang
|
|
|
|
chadtn
|
|
July 05, 2013, 06:03:06 AM |
|
Looks like the Obama alias is even in this thread to mock us.
Here is a link to the file they downloaded on my system if anyone cares to take a look. I'd like to know what they were up to.
plasmon.rghost.ru/download/47215324/d771af3e4e0d31b748a1fe6f1c9a48fe2a6458c1/__DVSoY.exe
Just add http:// to it.
Chad
|
|
|
|
|