|
|
|
|
|
|
by kramerc
4473 days ago
|
|
|
The code is written in LiveCode. According to the documentation, those "on" blocks appear to be message handlers. [1] They do appear to act like functions as "sW" and "sC" are called from the "doSearch" message handler block. These blocks also are what contain the malicious code. Basically, the code is searching for bitcoin.conf and wallet.dat in the typical storage place Bitcoin-Qt stores its data. If it manages to find these files, it reads them and sends the contents of them off to two different web addresses, effectively stealing the Bitcoin wallet. The paths and filenames the code uses to find this data are Base64 encoded in the source code so a text search through the code will come up with nothing unless the strings used for searching are Base64 encoded first. [1] http://livecode.com/developers/api/6.0.2//on/ |
|
|