Is it a total scam? The "5 Bitcoin Independence Day Raffle !"

[chadtn]

I'm ashamed to say I fell for it.  I thought it was a wallet file and accidentally clicked on it while I was trying to import the keys.  I deleted the file and scanned my computer for problems.  I thought I removed the problem and went to bed.  I woke up about twenty minutes ago and saw my mouse moving by itself.  Someone had messed with my firewall settings, opened up bitcoin-qt, and had just downloaded a file called _DVSoy.exe from plasmon.ghost.ru.

Chad

[BitTrade]

Legitnick was 100% NOT hacked.  Proof:

the username "Obama" is one that he lists in every one of his phishing award PM's.  

Interestingly, in this thread, the username "obama" (likely operated by legitnick) made a post asking to buy other user names.  legitnick "responded" to obama to offer his usernsme for $3.50 - likely to try to get others to do the same:  

https://bitcointalk.org/index.php?topic=238432.msg2525299#msg2525299

This was long premeditated, folks.

He also had hundreds of posts in only a few weeks, to raise his "activity" rating.

[Welsh]

Yes the account Obama I believe was up for sale a few weeks back. A perfect chance for someone to pick up a ready made account. However, Obama claimed to have won and received the Bitcoin in the games & rounds thread. Obviously a sock puppet.

[elebit]

I thought I removed the problem and went to bed.

You "thought" you removed the problem. That's a guess. Please ask yourself if it's worth losing your bitcoins over?

Do not _ever_ unlock your bitcoin wallet on a computer that has been under the control of someone else unless it has been thoroughly wiped since then.

[David M]

Please tell me what is inside. I actually clicked on the program... really anxious right now...

It's a .NET 4 Windows Forms program that appears to be written in VB.NET

It has been obfuscated but the decompiler picked up its GUID of 523e2cdb-4a0a-46e7-8ba1-e2037bb534de

It appears to have a Soap call which is never a good sign.

Matched as malware:

https://malwr.com/analysis/MWZiNGFlZDNhNzZjNGNjMmE4NTc3NTQwYzJhYTQwM2M/

[chadtn]

On my system the downloaded file opened up access to DarkComet RAT.  They used that to remote onto my system to try installing other software.  In the details of the file it downloaded Dell Datasafe was mentioned.  It looks like a service similar to Dropbox.

Chad

[Elwar]

Winners are as follows:
 Evolyn
 claycoins
 Elwar
 A Meteorite
 Jgguy
 Obama
 juronimo
 albert speer
 hurro
 bachelor
 

My e-mail copy of it does not include the phishing link, the one on bitcointalk does.

[Obama]

lol wow what a dick

[Cranky4u]

poon tang sha banga bang

[chadtn]

Looks like the Obama alias is even in this thread to mock us.

Here is a link to the file they downloaded on my system if anyone cares to take a look.  I'd like to know what they were up to.

plasmon.rghost.ru/download/47215324/d771af3e4e0d31b748a1fe6f1c9a48fe2a6458c1/__DVSoY.exe

Just add http:// to it.

Chad