clipboard virus
Abuser: MotasemBT, Activator.exe
I downloaded an alleged crack of software called Passper for PDF from The Pirate Bay, which was uploaded by user called MotasemBT. https://thepiratebay.party/torrent/57638901/Passper_for_PDF_3.6.2.3_Multilingual___crack Inside is crack.zip, which contains a malicious file called Activator.exe. I ran the program, clicked PATCH, which appeared to do nothing. I gave up and moved on to other tasks. The next day (today) I pasted a BTC address that I immediately recognized as NOT the one I copied. I opened my clipboard manager, and sure enough, a hidden Powershell process replaced the address I copied, hoping I wouldn't see the difference. This has happened before; I lost $500 in crypto from an attempted transfer because I didn't notice the address difference when I pasted. This time I caught it right away. You can find exactly what the malicious program does and how to undo the damage here: https://gist.github.com/infernoboy/cf114fda56ff3706478e0d1e6a1a1b27?permalink_comment_id=4140687#gistcomment-4140687 1. A task was created under Microsoft > Windows > NetService > Network that is spawning PowerShell. You can safely delete the entire NetService folder, as it was also created by the malware. 2. Delete a fake log file that it created where it hides the script: C:\Windows\logs\system-logs.txt 3. It also replaces the contents of C:\Windows\System32\SyncAppvPublishingServer.vbs with its own version. A copy from a clean install of Windows 11 (works for Windows 10 as well) can be found here: https://gist.github.com/infernoboy/7cc1fe26e647dd08e6e63a201cb38e27
United States, 2022-04-21 23:26:42