Heads up: Infected Multibit Wallet

[mitzie]

There is an infected multibit out there -> http://multibitcoinwallet.com

A user already tried to advertise it in bitcointalk, beware

MALWARE, just in case anyone had any doubts.

Upon execution, it drops a bunch of executables into %appdata%, runs them, and sets a few of them to be auto-started at boot or logon. I didn't bother trying to figure exactly what kind of stuff it tries to pull beyond this, but it's surely not for your benefit....

Executables it installs on my test system:

documents and settings\admin\application data\1tvcuplb.exe
documents and settings\admin\application data\dyfyljco.exe
documents and settings\admin\application data\eyn8sork.exe
documents and settings\admin\application data\install\host.exe
documents and settings\admin\application data\pua8hbxd.exe
documents and settings\admin\application data\qol58yud.exe

Virustotal report of these dropped executables is here: https://www.virustotal.com/en/file/88624d750fd17a4d61196fc9e63ba54532b508f1f20256a9214849bd8baa4a28/analysis/1405294627/.

[jim618]

Thanks for that heads up

[jim618]

Tweeted a reminder to always to use the main multibit site for downloads:
https://twitter.com/MultiBitOrg/status/488801201505722369

[btchris]

There is an infected multibit out there -> http://multibitcoinwallet.com

A user already tried to advertise it in bitcointalk, beware

MALWARE, just in case anyone had any doubts.

Upon execution, it drops a bunch of executables into %appdata%, runs them, and sets a few of them to be auto-started at boot or logon. I didn't bother trying to figure exactly what kind of stuff it tries to pull beyond this, but it's surely not for your benefit....

Executables it installs on my test system:

documents and settings\admin\application data\1tvcuplb.exe
documents and settings\admin\application data\dyfyljco.exe
documents and settings\admin\application data\eyn8sork.exe
documents and settings\admin\application data\install\host.exe
documents and settings\admin\application data\pua8hbxd.exe
documents and settings\admin\application data\qol58yud.exe

Virustotal report of these dropped executables is here: https://www.virustotal.com/en/file/88624d750fd17a4d61196fc9e63ba54532b508f1f20256a9214849bd8baa4a28/analysis/1405294627/.

Not that it really matters, but that malware wasn't claiming to specifically be a MultiBit executable, it is claiming to be a multi-bitcoin wallet, whatever the heck that is...

[shorena]

-snip-
Not that it really matters, but that malware wasn't claiming to specifically be a MultiBit executable, it is claiming to be a multi-bitcoin wallet, whatever the heck that is...

Its the kind of malware that steals your coin no matter which wallet you use

I think a warning here is enough because the URL is close to the one of multibit and a google search (as well as some others) of "multi bitcoin wallet" does not lead to the malware.

I am not so sure however if its wise to post the URL here, idk. Maybe make code tags around it so it cant be easily clicked by someone that does not read.