A friend of mine who mines scrypt coins, but who otherwise isn't that geeky, discovered an oddly named hidden .zip file in his C: root directory (2014Äê2ÔÂ13ÈÕ18ʱ45·Ö.zip - he doesn't have cyrillic script installed). In it are contained the wallet.dat files for all his cryptocoins (renamed to Bitcoin.dat, Litecoin.dat, etc).
Checking the file's last modified date and looking at the Prefetch directory, I determined that this file was created after running mousecoin-qt.exe or Mouse.exe (contained in the downloaded MouseCoin-Qt1.0.0.0_Win.rar). He downloaded that from the official site on 13 Feb 2014, linked to from the Bitcointalk announcement thread. When opened, mousecoin-qt.exe generates a hidden VBS file (tem.vbs), but this file in itself is innocent, cointaining just these four lines:
Dim fso
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\mousecoin-qt.exe")
fso.DeleteFile("C:\Program Files\MouseCoin-Qt1.0.0.0_Win\tem.vbs")
So the wallet-stealing code is contained in mousecoin-qt.exe itself, and the VBS file is used to delete itself. I haven't gone so far as to check where the .zip file with the wallets is sent, but if anyone is interested let me know.
As of today, the "official" MouseCoin sites (mousecoin.net and mouseco.in) return a 404, and the announcement thread has been renamed to "
[ANN]New Coin MouseCoin ,yep,i m Jerry !", and some Russian users appear to have posted over the last several weeks for the purpose of bumping the thread.
TL;DR: MouseCoin steals all your cryptocoin wallets! Had my friend not password-protected his wallets, they'd have all been wiped instantaneously.
