We detect the threat as Trojan-PSW:W32/CoinBit.A.
Here’s a screenshot of the GUI:
It’s not very professional looking.
But that’s not the real point. This is a snatch and grab. Before the window is rendered, the application will fetch the Bitcoin wallet.dat file (if it exists) from this location:
%Documents and Settings%\
Bitcoin.A then attempts to mail the wallet.dat to a hotmail address via a Polish SMTP server. The .pl server address is hardcoded. Reportedly, the password of the server account has been changed so this variant is no longer effective.
Performing a search for the hardcoded @hotmail recipient e-mail address leads one to this thread at bitcoin.org’s forum.
It appears the pickpocket posted links in the forum’s chat application. If the forum members click the link and downloaded the trojan, they risked losing their wallets.
To quote a forum member:
“No doubt that sucker is going straight for your wallet.dat”
“People will loose coins from this!”
Read more from Kevin Poulsen at Wired.
Leave a reply