WARNING, WALLET STEALER!!!

[meee]

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

This is the IP I have from the forum 176.10.115.120 He used the name all4coins.

We have this...

[17:39:43] Tristan Weir: 1  alan5 (193.62.127.129)  2.912 ms  0.897 ms  0.819 ms
 2  gw-fw (193.63.74.131)  0.320 ms  0.268 ms  0.254 ms
 3  c-pop (193.63.74.226)  30.257 ms  18.952 ms  16.952 ms
 4  193.62.116.18 (193.62.116.18)  1.167 ms  1.095 ms  1.099 ms
 5  ae6.manckh-sbr1.ja.net (146.97.41.61)  1.249 ms  1.231 ms  1.252 ms
 6  ae29.erdiss-sbr1.ja.net (146.97.33.41)  3.124 ms  11.640 ms  3.116 ms
 7  ae31.londpg-sbr1.ja.net (146.97.33.21)  6.970 ms  6.958 ms  6.969 ms
 8  ae30.londtw-sbr1.ja.net (146.97.33.6)  7.530 ms  8.338 ms  7.499 ms
 9  ae29.londtn-sbr1.ja.net (146.97.33.10)  7.549 ms  7.510 ms  7.535 ms
10  ae0.lond-gw-ixp4.ja.net (146.97.35.182)  7.550 ms  7.496 ms  7.473 ms
11  linx-1.solnet.ch (195.66.224.169)  7.667 ms  7.659 ms  9.574 ms
12  dexfra-bbr01.solnet.ch (212.101.0.122)  18.743 ms  18.785 ms  18.690 ms
13  iwbbas-bbr01.solnet.ch (212.101.0.117)  34.010 ms  24.271 ms  23.409 ms
14  eq1zrh-bbr01.solnet.ch (212.101.0.74)  34.268 ms  24.251 ms  24.375 ms
15  eq2zrh-bbr01.solnet.ch (212.101.0.61)  29.418 ms  24.333 ms  24.268 ms
16  datasource-gw-as51395.customer.solnet.ch (82.220.32.126)  24.827 ms  24.891 ms  24.805 ms
17  176.10.115.120 (176.10.115.120)  25.190 ms  25.106 ms  25.094 ms

I don't know if this will be of any use or if we can do anything at all but if someone knows how to help and if they have any experience with this then please get in touch... Also if you see this kind of message never download. I guess the lesson here is to never download anything at all.

Feel so bad about this and don't really know if we can do anything. Is there? Can we do anything?



EDIT More data

Abuse contact for '176.10.96.0 - 176.10.127.255' is 'noc@datasource.ch'

inetnum:        176.10.96.0 - 176.10.127.255
netname:        CH-DATASOURCE-20110518
descr:          Datasource AG
country:        ch
org:            ORG-DA327-RIPE
admin-c:        RT488-RIPE
admin-c:        RT4480-RIPE
tech-c:         RT488-RIPE
tech-c:         RT4480-RIPE
status:         ALLOCATED PA
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      ch-mgw
mnt-lower:      MNT-DA327
mnt-routes:     ch-mgw
mnt-routes:     MNT-DA327
mnt-domains:    MNT-DA327
source:         RIPE # Filtered

organisation:   ORG-DA327-RIPE
org-name:       Datasource AG
org-type:       LIR
address:        Datasource AG
address:        Christian Mitros
address:        Boesch 69
address:        6331
address:        Huenenberg
address:        SWITZERLAND
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        CH-MGW
mnt-ref:        MNT-DA327
mnt-by:         RIPE-NCC-HM-MNT
tech-c:         RT4480-RIPE
tech-c:         RT4480-RIPE
admin-c:        RT4480-RIPE
admin-c:        MITR2-RIPE
abuse-mailbox:  noc@datasource.ch
abuse-c:        DA5093-RIPE
source:         RIPE # Filtered
phone:          +41417633088
fax-no:         +41417633090

person:         Rolf Tschumi
address:        Datasource AG
address:        Boesch  69
address:        CH-6331 Huenenberg
phone:          +41417633088
fax-no:         +41417633090
nic-hdl:        RT4480-RIPE
mnt-by:         MNT-DA327
abuse-mailbox:  noc@datasource.ch
source:         RIPE # Filtered

person:         Rolf Tschumi
address:        mgw online service
address:        Roetihalde 12
address:        CH-8820 Waedenswil
mnt-by:         CH-MGW
phone:          +41 79 242 25 04
abuse-mailbox:  abuse@mgw.ch
nic-hdl:        RT488-RIPE
source:         RIPE # Filtered

% Information related to '176.10.96.0/19AS51395'

route:          176.10.96.0/19
descr:          Routing via Datasource-Schweiz
origin:         AS51395
mnt-by:         MNT-DA327
remarks:        Info RT4480-RIPE
source:         RIPE # Filtered

[1714977857]

1714977857

[1714977857]

1714977857

[atp1916]

What was his loss amount in the BTC equivalent?

[virtualdn]

sorry to hear, it seems a Switzerland IP address - track him here: http://ip2location.com/

[hilariousandco]

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

Did he not have them encrypted? This is why I don't bother with most alts, and if I did I would have all the wallets on a separate computer.

[meee]

What was his loss amount in the BTC equivalent?

I dunno $10,000, I know that.

[meee]

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

Did he not have them encrypted? This is why I don't bother with most alts, and if I did I would have all the wallets on a separate computer.

Yes he had them all encrypted. And yeah you should I guess, I mean BTC has had it's problems regarding this in it's life. It isn't immune, is it?

[hilariousandco]

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

Did he not have them encrypted? This is why I don't bother with most alts, and if I did I would have all the wallets on a separate computer.

Yes he had them all encrypted. And yeah you should I guess, I mean BTC has had it's problems regarding this in it's life. It isn't immune, is it?

Unless his password was really simple I don't know how it could've got his coins that quick. Did he use one password for them all?

[atp1916]

What was his loss amount in the BTC equivalent?

I dunno $10,000, I know that.

=[

I was hoping i could cover some or all of his loss, but that's insane.



MUST scan ALL items before opening!!!!! I know it's already happened, if there's a lesson to be learned, it's that right there.

[Et Filii]

Just warn your friends and spread the word so this does not happen to anyone here.

[meee]

Hi guys, as you may know I run the Netcoin Forum. We had a guy PM some of the members regarding "netcoin messenger" which allows you to chat to each other via your wallet addy or some non-sense.

Anyway, 1 of my friends downloaded the thing and then warned me that it was malicious. It messed up his entire PC and they had to re-install to fix it.

Anyway today he loads up his wallet and the coins vanish soon as it syncs. Not just his Netcoins but ALL his coins.

Did he not have them encrypted? This is why I don't bother with most alts, and if I did I would have all the wallets on a separate computer.

Yes he had them all encrypted. And yeah you should I guess, I mean BTC has had it's problems regarding this in it's life. It isn't immune, is it?

Unless his password was really simple I don't know how it could've got his coins that quick. Did he use one password for them all?

Yeah I don't know how either mate, obviously I don't know the passwords, but no he said he had a different one for all of them.

[meee]

What was his loss amount in the BTC equivalent?

I dunno $10,000, I know that.

=[

I was hoping i could cover some or all of his loss, but that's insane.



MUST scan ALL items before opening!!!!! I know it's already happened, if there's a lesson to be learned, it's that right there.

Ahhh well that is nice of you mate. But yeah it is an insane amount. I feel so bad for him cos he is a great guy as well. I have put a warning on my forum right at the top and I think I will copy paste the OP form this thread there too.

What an end to the year

It is a scary thought that someone can get to these coins so easily.

But yeah must scan everything.

Oh man.... I dunno what else I can do for him.

[blueangel01]

Is there any precaution to avoid this malware?

[meee]

Is there any precaution to avoid this malware?

Malwarebytes is a program you can use, it is a bit of an inconvenience as it deems a lot of things a threat including things like skype but after this I think it is a good idea.

As another poster said scan everything before you download.

Also paper wallets? Or some other kind of offline storage?

[BitcoinEXpress]

Running any third party software that involves your wallet is STUPID, no other word for it.

If you are ignorant enough to use 3rd party software involving your wallet, you DESERVE to be ripped off.



~BCX~

[atp1916]

Is there any precaution to avoid this malware?

Yep.

Scan whatever you download if it has not been verified clean by other members of the forum here.
Edit2: Here's a link for individual file online virus scanning: https://www.virustotal.com/ for that purpose.

No exclusions, no exceptions.



Edit: BCX, have some mercy.  Not everyone starts out as a jaded, paranoid watchdog.   In fact, when you get ripped off next and you look for commiseration, i hope you get people giving you your response back at you.

[Nullu]

Running any third party software that involves your wallet is STUPID, no other word for it.

If you are ignorant enough to use 3rd party software involving your wallet, your DESERVE to be ripped off.

~BCX~

As much as I agree that people need to be a lot more careful, and to be so wreckless with what is essentially money invites scam artists, nobody deserves to be ripped off.

[KingGoon]

is his nick all4coins?
http://quark.freeforums.net/thread/1259/release-quark-messenger 

[meee]

is his nick all4coins?
http://quark.freeforums.net/thread/1259/release-quark-messenger 

Yes that is his nickname! Delete and block as soon as you can, seems he's going around everywhere then!

Man....

[meee]

Running any third party software that involves your wallet is STUPID, no other word for it.

If you are ignorant enough to use 3rd party software involving your wallet, you DESERVE to be ripped off.



~BCX~

Never made a mistake then I take it? Man... yeah the guy did a silly but it could so easliy be any one of us. We all make rash decisions sometimes.

Have a little heart

[KingGoon]

is his nick all4coins?
http://quark.freeforums.net/thread/1259/release-quark-messenger 

Yes that is his nickname! Delete and block as soon as you can, seems he's going around everywhere then!

Man....

He also pm for his crap messenger asking me to use it