[BEWARE] Novacoin Phising Site!

[theDF]

I just got this PM

Hi,
My Novacoin giveaway has began! I am a large holder in NVC and want to boost it's popularity. To do this I am offering the equivalent of 15$ in NVC for every person that gets the NovacoinQT wallet and sends me the newly made address.

I will be doing this up to the one hundredth address I receive and depending on the results I get on the NVC market I will either continue or discontinue these giveaways. Please do not attempt to send me multiple addresses, I have my ways of finding out. After downloading the wallet send me a pm on here with your NVC address. Hope you realise the investment opportunity that is Novacoin!

You can get the wallet from Novacoin.org

Thanks

be careful with the link, its go to novascoin.org instead of the real novacoin.org

*link removed for safety

[frankenmint]

Same Guys I did too.  Dont Fall for the greed on this one here.  Whoislookup is pasted...clearly shows the site was registered yesterday.

   
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy.  This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.

Domain ID:D169540408-LROR
Domain Name:NOVASCOIN.ORG
Created On:28-Aug-2013 23:38:45 UTC
Last Updated On:29-Aug-2013 17:55:53 UTC
Expiration Date:28-Aug-2014 23:38:45 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)

[faetos]

Thanks for the heads up. I'm curious to see what the malware looks like via a cuckoo sandbox.

FYI - you may want to remove the hyperlink so no one clicks on it out of curiosity.

I ran the site through Anubis and here is the report: http://anubis.iseclab.org/?action=result&task_id=1edafa42a570f2ab4f5c6d89c75cc353c

[cryptograd]

Just downloaded this and installed .exe

should i re install windows?

luckily this isnt my main machine

any idea what this .exe is?

a key logger? a virus? spyware?

[JoeMattie]

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched

[cryptograd]

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched

so this would only affect individuals who have localized bitcoin wallets running on their machines?

would it intercept the coin between nodes?

are cloud based wallets affected at all?

[phillipsjk]

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

[theDF]

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?

[b!z]

If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.

Without disassembling the software, we don't know what it does.

There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.

Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).

So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?

could be remote access tool, some guys before were pulling off a giveaway scam and remote controlling pc + stealing coins manually

if you opened the .exe, format your drive :-)

[Balthazar]

https://bitcointalk.org/index.php?topic=283973.msg3040804#msg3040804

Maybe I'll try to inspect this .exe later, but HDD formatting is the best solution at the moment.

[hacked1]

I was hacked last night due to that spam private message directing you to novascoin.com

the url redirects to NOVAScoin... with an S instead of novacoin.

The person successfully changed the password to my original forum handle "cryptograd"

Moderators please help

https://i.imgur.com/BpheZ5W.jpg

[minerpumpkin]

Just received the scam message from the hacked cryptograd account.
I've submitted an abuse report with sourceforge.

[monbux]

haha, just got their message loled so hard... is it a bought account?

[PinkBatman]

Ran this on a fresh laptop under ap-isolation.

The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)

Then it sits listening to port 1640

I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched

so this would only affect individuals who have localized bitcoin wallets running on their machines?

would it intercept the coin between nodes?

are cloud based wallets affected at all?

I just got the same PM from you cryptograd. Watch out.

[pedrog]

Shit, installed novacoin-qt for nothing...

novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack?

[Hekuro]

I just got this PM (from cryptograd) and opened the link, however I didn't download anything.
I'm using Google Chrome on Xubuntu 13.04. Is there some risk of my PC being infected now (probably not but better safe than sorry) 

[grums]

I also got a PM from cryptograd, (I believe his account has been hacked after installing the file)

I downloaded the File but never installed it. Should I be worried? Or is it okay because I never installed the exe?

[smscotten]

Yeah, I got one from cryptograd too. I didn't even think to click the link, I just typed "novacoin" into my search bar and followed the link on the novacoin.org (no s) site to sourcesforge (kidding) and downloaded the qt client.

So I think I'm safe but if anyone gets any strange PMs from me…

[smscotten]

BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge.

So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews (edit to add: and abuse reports) so that unsuspecting visitors don't get duped.

[pedrog]

BTW, I joked about "sourcesforge" but the fake novaScoin dot org is a copy of the real site but with a link to sourceforge.net—it's a real (well, an actual fake) project on sourceforge.

So it wouldn't hurt to go to http://sourceforge.net/projects/novascoinqt/ and leave some reviews so that unsuspecting visitors don't get duped.

Oh, now I get it!

The fake sf.net project link is in the big download button in the front page, I was checking the links in the "Installation" page, those are legit...