Shit, installed novacoin-qt for nothing...
novascoin.org has the same links to sourceforge as novacoin.org, how does our system gets compromised in this attack?
Topic: [BEWARE] Novacoin Phising Site! - page 2. (Read 2906 times)
Ran this on a fresh laptop under ap-isolation.
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
so this would only affect individuals who have localized bitcoin wallets running on their machines?
would it intercept the coin between nodes?
are cloud based wallets affected at all?
I just got the same PM from you cryptograd. Watch out.
haha, just got their message loled so hard... is it a bought account?
Just received the scam message from the hacked cryptograd account.
I've submitted an abuse report with sourceforge.
I've submitted an abuse report with sourceforge.
I was hacked last night due to that spam private message directing you to novascoin.com
the url redirects to NOVAScoin... with an S instead of novacoin.
The person successfully changed the password to my original forum handle "cryptograd"
Moderators please help
https://i.imgur.com/BpheZ5W.jpg
the url redirects to NOVAScoin... with an S instead of novacoin.
The person successfully changed the password to my original forum handle "cryptograd"
Moderators please help
https://i.imgur.com/BpheZ5W.jpg
https://bitcointalksearch.org/topic/m.3040804
Maybe I'll try to inspect this .exe later, but HDD formatting is the best solution at the moment.
Maybe I'll try to inspect this .exe later, but HDD formatting is the best solution at the moment.
If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?
could be remote access tool, some guys before were pulling off a giveaway scam and remote controlling pc + stealing coins manually
if you opened the .exe, format your drive :-)
If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
So it waiting for the creator's command to do what the command is?
could it be a multipurpose malware?
If your anti-virus does not quarantine it, I would consider the machine compromised. Disable autorun on you main machine if you have not already.
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
Without disassembling the software, we don't know what it does.
There have been Bitcoin wallet stealers in the wild. New ones may include a keylogger to capture wallet passwords.
Edit: listening implies waiting for commands. That implies the program won't tell you what it does (it does not know).
Ran this on a fresh laptop under ap-isolation.
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
so this would only affect individuals who have localized bitcoin wallets running on their machines?
would it intercept the coin between nodes?
are cloud based wallets affected at all?
Ran this on a fresh laptop under ap-isolation.
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
The file copies itself to %appdata% and then sends a single packet to a TCP port on this host: furrycoat2.no-ip.biz (99.61.161.210)
Then it sits listening to port 1640
I made a dummy %appdata%/bitcoin/wallet.dat file with the word "fuckyou" in it and it doesn't seem to have been touched
Just downloaded this and installed .exe
should i re install windows?
luckily this isnt my main machine
any idea what this .exe is?
a key logger? a virus? spyware?
should i re install windows?
luckily this isnt my main machine
any idea what this .exe is?
a key logger? a virus? spyware?
Thanks for the heads up. I'm curious to see what the malware looks like via a cuckoo sandbox.
FYI - you may want to remove the hyperlink so no one clicks on it out of curiosity.
I ran the site through Anubis and here is the report: http://anubis.iseclab.org/?action=result&task_id=1edafa42a570f2ab4f5c6d89c75cc353c
FYI - you may want to remove the hyperlink so no one clicks on it out of curiosity.
I ran the site through Anubis and here is the report: http://anubis.iseclab.org/?action=result&task_id=1edafa42a570f2ab4f5c6d89c75cc353c
Same Guys I did too. Dont Fall for the greed on this one here. Whoislookup is pasted...clearly shows the site was registered yesterday.
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy. This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.
Domain ID:D169540408-LROR
Domain Name:NOVASCOIN.ORG
Created On:28-Aug-2013 23:38:45 UTC
Last Updated On:29-Aug-2013 17:55:53 UTC
Expiration Date:28-Aug-2014 23:38:45 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Quote
Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the
Public Interest Registry registry database. The data in this record is provided by
Public Interest Registry for informational purposes only, and Public Interest Registry does
not
guarantee its accuracy. This service is intended only for query-based
access. You agree that you will use this data only for lawful purposes
and that, under no circumstances will you use this data to: (a) allow,
enable, or otherwise support the transmission by e-mail, telephone, or
facsimile of mass unsolicited, commercial advertising or solicitations
to entities other than the data recipient's own existing customers; or
(b) enable high volume, automated, electronic processes that send
queries or data to the systems of Registry Operator, a Registrar, or
Afilias except as reasonably necessary to register domain names or
modify existing registrations. All rights reserved. Public Interest Registry reserves
the right to modify these terms at any time. By submitting this query,
you agree to abide by this policy.
Domain ID:D169540408-LROR
Domain Name:NOVASCOIN.ORG
Created On:28-Aug-2013 23:38:45 UTC
Last Updated On:29-Aug-2013 17:55:53 UTC
Expiration Date:28-Aug-2014 23:38:45 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
I just got this PM
be careful with the link, its go to novascoin.org instead of the real novacoin.org
*link removed for safety
Hi,
My Novacoin giveaway has began! I am a large holder in NVC and want to boost it's popularity. To do this I am offering the equivalent of 15$ in NVC for every person that gets the NovacoinQT wallet and sends me the newly made address.
I will be doing this up to the one hundredth address I receive and depending on the results I get on the NVC market I will either continue or discontinue these giveaways. Please do not attempt to send me multiple addresses, I have my ways of finding out. After downloading the wallet send me a pm on here with your NVC address. Hope you realise the investment opportunity that is Novacoin!
You can get the wallet from Novacoin.org
Thanks
My Novacoin giveaway has began! I am a large holder in NVC and want to boost it's popularity. To do this I am offering the equivalent of 15$ in NVC for every person that gets the NovacoinQT wallet and sends me the newly made address.
I will be doing this up to the one hundredth address I receive and depending on the results I get on the NVC market I will either continue or discontinue these giveaways. Please do not attempt to send me multiple addresses, I have my ways of finding out. After downloading the wallet send me a pm on here with your NVC address. Hope you realise the investment opportunity that is Novacoin!
You can get the wallet from Novacoin.org
Thanks
be careful with the link, its go to novascoin.org instead of the real novacoin.org
*link removed for safety
Jump to: