Is it a total scam? The "5 Bitcoin Independence Day Raffle !"

[kira4light]

I believed a lot of guys posted on the "5 Bitcoin Independence Day Raffle !"
https://bitcointalk.org/index.php?topic=246400.msg2612378

I just received a PM this morning saying I win it. It says it's a private key. But I found out it is some MS-DOS program, which makes me cautious.

So does everyone received a PM like this? If you do please let me know.

I think the guy named 'legitnick' is a completely scam, so everyboy let's put a negative comment on his trust!
https://bitcointalk.org/index.php?action=profile;u=35697


Can anyone tell me what this little MS-DOS program (".5 btc bode rdeem@mtgox.com") is? Is a Trojans, virus or something? Does it put my wallet or private key in danger?

[1713424238]

1713424238

[naphto]

Proof? Screenshot?


Seems a scam.

[xeroc]

positive .. it's a scam .. received PM too

[pedrog]

Haha, I'm also a winner, well I guess everybody won!

Phishing attempt:

Redeem code at mtqox .net   

[cp1]

this is the list of winners i got pmed:

riazg
princesshannah
Transisto
cp1
felix123
Obama
juronimo
albert speer
hurro
bachelor


Did everyone win a .com virus?

[BitcoinBarrel]

It's a scam:

https://bitcointalk.org/index.php?topic=249625.0

[IIOII]

If I remember correctly there was a very similar scam/phishing ongoing with alleged btc-e codes not long ago.

I would not be surprised if the same scamming entity is behind this "giveaway".

[firstlast]

After explaining my problem I was pleasantly surprised by the outpouring of ridicule I received from members in the chat room.
One guy who went by the name of "kjwallet" took his time and worked me through my problem, then was kind enough to scam me out of 30 bitcoins. After that event, I made a promise to myself that one day I would take back from the community in full.

[P239]

I hate to be a wet blanket, but ".5 btc bode rdeem@mtgox.com" looks like a description (of the key file?) ending in an email address, which, obviously will end in .com ... many Windows computers may confuse this to be an old "MS DOS" COM executable file..
if you forward the message/file to me I will take a look.. I'm on a Mac so I'm not worried about your silly virii & trojans.. (although i will still be careful    )

[jag2k2]

reminds me of that 10btc giveaway we had a few months ago.

[colinistheman]

I got scammed by him with this too. Good thing i didn't run any program

[bitcoinstarter]

reminds me of that 10btc giveaway we had a few months ago.

This ^^ . These guys are back with a scam!

[tarrant_01]

We'll see if robert5's 1 BTC give-away is a scam also.

[elebit]

Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.

[cp1]

Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.

It looks like the moderators deleted the PM he sent me, so I can't forward it to you.

[kira4light]

Cool, can I get a copy of the alleged trojan? It would be interesting to look inside.

http://rghost.net/47200539?r=1096

Please tell me what is inside. I actually clicked on the program... really anxious right now...

[kira4light]

I hate to be a wet blanket, but ".5 btc bode rdeem@mtgox.com" looks like a description (of the key file?) ending in an email address, which, obviously will end in .com ... many Windows computers may confuse this to be an old "MS DOS" COM executable file..
if you forward the message/file to me I will take a look.. I'm on a Mac so I'm not worried about your silly virii & trojans.. (although i will still be careful    )

http://rghost.net/47200539?r=1096

Please tell me what is inside. I actually clicked on the program... really anxious right now...

[Welsh]

It's a scam. It's very obvious. That's why I don't allow any java script or anything to run until I know I can trust the site. Legitnick isn't so legit.

[elebit]

Please tell me what is inside. I actually clicked on the program... really anxious right now...

It's a .net program. I don't have the proper tools to disassemble that, at least not for now. But if it is similar to what the other people got it's probably a dropper that downloads another program from somewhere and executes it. So it's impossible to know what that program does unless you actually get hold of it and look at it, but most probably it would be some sniffer and/or rootkit of some kind.

If you want my professional advice it would be: Don't take any chances with this. The attacker could be a script kiddie and the malware possible to remove, but why risk it? Boot from a CD and back up any data you do not have previously backed up. Take special care to backup your bitcoin wallet and any password files you use. Wipe your system completely and reinstall your operating system. Take care not to reinstall anything executable from whatever backups to took after you got infected.

Never run software from strangers on the Internet ever again.

Unless you opened your wallet and entered your password after you run this malware, the attacker can not get hold of your coins. Consider this a lesson and yourself lucky under the circumstances.

Never run software from strangers on the Internet ever again.

And back up your data.

[Welsh]

Something like this happened before. But, a lot more people fell for it. I think the attacker got away with around 30 Bitcoins maybe more. It was valued at around $110-140 at the time, so it was a big blow.

After doing some research on legitnick, I realised that he has been pretty shady the last few posts he had made, to be honest I didn't really care about it, I knew it was a scam but couldn't call him out because it may of not of been.

[chadtn]

I'm ashamed to say I fell for it.  I thought it was a wallet file and accidentally clicked on it while I was trying to import the keys.  I deleted the file and scanned my computer for problems.  I thought I removed the problem and went to bed.  I woke up about twenty minutes ago and saw my mouse moving by itself.  Someone had messed with my firewall settings, opened up bitcoin-qt, and had just downloaded a file called _DVSoy.exe from plasmon.ghost.ru.

Chad

[BitTrade]

Legitnick was 100% NOT hacked.  Proof:

the username "Obama" is one that he lists in every one of his phishing award PM's.  

Interestingly, in this thread, the username "obama" (likely operated by legitnick) made a post asking to buy other user names.  legitnick "responded" to obama to offer his usernsme for $3.50 - likely to try to get others to do the same:  

https://bitcointalk.org/index.php?topic=238432.msg2525299#msg2525299

This was long premeditated, folks.

He also had hundreds of posts in only a few weeks, to raise his "activity" rating.

[Welsh]

Yes the account Obama I believe was up for sale a few weeks back. A perfect chance for someone to pick up a ready made account. However, Obama claimed to have won and received the Bitcoin in the games & rounds thread. Obviously a sock puppet.

[elebit]

I thought I removed the problem and went to bed.

You "thought" you removed the problem. That's a guess. Please ask yourself if it's worth losing your bitcoins over?

Do not _ever_ unlock your bitcoin wallet on a computer that has been under the control of someone else unless it has been thoroughly wiped since then.

[David M]

Please tell me what is inside. I actually clicked on the program... really anxious right now...

It's a .NET 4 Windows Forms program that appears to be written in VB.NET

It has been obfuscated but the decompiler picked up its GUID of 523e2cdb-4a0a-46e7-8ba1-e2037bb534de

It appears to have a Soap call which is never a good sign.

Matched as malware:

https://malwr.com/analysis/MWZiNGFlZDNhNzZjNGNjMmE4NTc3NTQwYzJhYTQwM2M/

[chadtn]

On my system the downloaded file opened up access to DarkComet RAT.  They used that to remote onto my system to try installing other software.  In the details of the file it downloaded Dell Datasafe was mentioned.  It looks like a service similar to Dropbox.

Chad

[Elwar]

Winners are as follows:
 Evolyn
 claycoins
 Elwar
 A Meteorite
 Jgguy
 Obama
 juronimo
 albert speer
 hurro
 bachelor
 

My e-mail copy of it does not include the phishing link, the one on bitcointalk does.

[Obama]

lol wow what a dick

[Cranky4u]

poon tang sha banga bang

[chadtn]

Looks like the Obama alias is even in this thread to mock us.

Here is a link to the file they downloaded on my system if anyone cares to take a look.  I'd like to know what they were up to.

plasmon.rghost.ru/download/47215324/d771af3e4e0d31b748a1fe6f1c9a48fe2a6458c1/__DVSoY.exe

Just add http:// to it.

Chad