ClaimThere are reports from various people, that YAcoin has built in wallet stealer.
What you can doIt's a common feature for malware to activate its main task on random date, and add a mark to the computer so it doesn't do the same thing twice (like uploading the stolen wallet.dat twice after your wallet is already uploaded, it's a waste of resource).
Since you can't be too safe, if you have run YAcoin's client or modified minerd.exe and don't encrypt your wallet, make sure you install Bitcoin in another clean computer and send your bitcoin there.
Make sure you password protected your wallet on that new computer.
Does YACoin really have malware module in it ?Who knows, it's possible that it's a joke, someone wants to drop YAC's price on orderbook.
Or, it's the real deal. The attackers want people to believe that all of the various malware report that we receive now is a joke, and further report will be ignored once the real attack is really launched.
Hence, the investigation.
InvestigationI'll list what I found here :
List of YACoin related binary
yacoin-qt-2013-05-08.zip (yacoin's main client, uploaded during YACoin launch)
https://mega.co.nz/#!UowEmZYS!AAK7DVwYoTqy96oTRzUaLCS0UMsAfosJiRQmBn1jzcADetection ratio :
0 / 46
https://www.virustotal.com/en/file/7381b3ea8e872d860cf8279b98cb74a01cd21ecebaa1af7e537a040b6c5ad1e7/analysis/1368286925/yacoin-qt-2013-05-09.zip (yacoin's main client, updated binary)
https://mega.co.nz/#!5wgDnKyZ!QLfWTXNRMRTwmb60rfpuFgzH48BCl4fpwb8paeAaqRsDetection ratio :
0 / 46
https://www.virustotal.com/en/file/8c1b9dcc90e163a357b3861c10d8cec67c351a928e0b5e1e0dcf74d65d4a4b76/analysis/cpuminer-scrypt-jane-win32.zip (modified minerd to mine yacoin on multiple computer)
hxxp://mega.co.nz/#!IJRziTBD!ZCAKGC7fqYkyXsEDi9GB1RYiqIUqj2S9bEm6UI2y1no
Detection ratio :
6 / 46
https://www.virustotal.com/en/file/2b7e630cfb2d173eb14e4dd88a7879527f5c52cbc77ace0c0742942aad46faec/analysis/1368286565/"antivirus friendly" version of minerd (don't download this, very suspicious)
hxxp://mega.co.nz/#!shoxkb5b!DjiCAQBQ627TaW0oet1C7mvqM7Q2-2u-g4kDRHbniU4
From :
https://bitcointalksearch.org/topic/yac-antivirus-friendly-minerd-for-windows-201050Detection ratio :
16 / 46
https://www.virustotal.com/en/file/0ffa2116bf1027019ad94e9bf8e2340be427d6efbc9563e185096cf8550b4c3a/analysis/1368287421/minerd_scrypt_jane.ZIP (another modified minerd to mine yacoin on multiple computer)
https://mega.co.nz/#!pUMBkbbY!cMJYcFqPCMr1idZBr30VsFw0tLY7y63J0N4RVNYMUBcDetection ratio :
0 / 46
https://www.virustotal.com/en/file/01a79a608d33d1db4eb9382db029e89e581f6e0017ddb566e7826b45370596fd/analysis/All investigation should be done in clean Virtual Machine, otherwise, it's useless since it's possible that your computer is already marked and the malware won't run wallet stealing routine twice.
"Victim" List - Alternate cryptocurrency sectionFreeTibet / Jr. Member / Posts: 11 / DO NOT DOWNLOAD YACOIN - SENDS WALLET.DAT TO
http://bitcoin-ticker.netne.net/u.pDon't download yacoin Windows binary.. it sends your bitcoin wallet.dat to this page:
http://bitcoin-ticker.netne.net/u.phpI observed it with Fiddler. Stay safe, compile the code yourself!
Lewies Man / Jr Member / Posts: 45 / 2.374 bitcoins stolen after downloading yacoin
2.374 bitcoins stolen .. anyone can help?? the last thing I did on this computer was install yacoin..
i didn't have passphrase set but i do have now. yacoin has virus? stole my coins
Brewins / Jr. Member / Posts: 69 / Yacoin developer stole more than 256 BTC!
D35TR0Y3R / Full Member / Posts: 108 / WARNING: YACOIN HAS A VIRUS BITCOIN STEALER
nocompare / Jr. Member / Posts: 14 / yacoin developers are a bunch of crooks, steals 900 BTC
"Victim List" - Newbie sectionmoneytronics / Posts: 1 / YACOIN STEALS YOUR WALLET DO NOT USE
BITCOINS GONE!
TX ID 11b3704b041ebfc8772f43116b69dc70345f1a6c4a873774e6d087a5f6e6691d
DO NOT USE
jebwizoscar / Posts: 5 / yacoin trojan
yacoin is sending my coins
danieljoseph / Posts: 1 / yacoin stole my 14.25 btc
What do I do now? I downloaded Yacoin which had a wallet stealer in it. Can I get my coins back? Should I file a police report?
SquishySquish / Posts: 6 / bitcoin sent from my wallet?
my bitcoins have being sent from my wallet
is it the alt coins I downloaded?
netne.net WhoisRegistered through: GoDaddy.com, LLC (
http://www.godaddy.com)
Domain Name: NETNE.NET
Created on: 19-Mar-09
Expires on: 19-Mar-14
Last Updated on: 20-Mar-13
Registrant:
Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
Administrative Contact:
Kyriako, Kyriakos
[email protected]Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130
Technical Contact:
Kyriakos, Kyriako
[email protected]Hostinger International Ltd.
61 Lordou Vyronos
Larnaca, 6023
Cyprus
+357.24030130
Domain servers in listed order:
NS1.000WEBHOST.COM
NS2.000WEBHOST.COM
Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited
If you find this is helpful, any donation would be welcome :
YAcj1cSecVtCZkPpcPnb2raXdJfb3vzine