Zitat:
Zitat von SpDrS60
hat jemand mal die infizierte Datei untersucht, die uns "ICHBINDABEI1" unterjubeln wollte?
bin mal gespannt wann der nächste Schwachsinn dieser Art auftaucht...  |
There was three files - two of them which looked like archives, but inside was only zero-filled bytes (inspected with hex-edit) so you cannot open it with WinRar. So - for those which are "less-clever" and do not think that there is something suspicious, is the third file named install.bat - standard batch file executed from command line. And there is the meat!
Inside install bat are three parts - first (innocent) which looks like some testing-loop, but every line starts with REM command - it means that is the remark only and dos not anything. The purpose is only to hide the next parts of file. Second part is only many empty lines as a very long divider from the third part.
The third part consists from a lot of commands which try to create some directories inside your user-profile, hide them and create other vbs and batch files (also hidden) which are trying to connect to xmr.crypto-pool.fr and do some operation with your bitcoin- wallet.
Sorry for English - I can only bad read and cannot write at all.