BitPay warned folks Friday of a Trojan virus affecting bitcoin purchases. This coming from their support team who have received several reports of foul play.
This virus has not compromised any wallets or payments systems. Instead, it’s introduced into Windows computers through malicious software or email attachments.-BitPAy
The Trojan.Conbitclip injects itself into system files so that on startup (boot) it installs malicious code perched to attack the Windows clipboard. When it detects a bitcoin wallet address it replaces it with its own so that when you CTRL V (paste) the wallet address you CTRL C (copied) you actually end up pasting the attackers wallet address and the bitcoin goes there instead of the destination of intent.
This virus is not new or any kind of epidemic. It's been around for the majority of 2016 and we'll show you how to get rid of it.
How To Prevent
Update your virus definitions. If you don't know what that is, then just run your Anti-virus "update" tool. If you don't have anti-virus, then you don't belong behind the keyboard of a computer and there is little hope for you anyway, but go download McAfee, Symantec, or any of the numerous other offering on the market and install it.
Always double check the wallet address when you paste it anywhere to make sure its the one you intended to use. This is common practice since basic human error can also happen. You can also just use any given app to scan the destinations QR code.
How To Detect
Running your anti-virus scan should detect the bug and destroy it or quarantine it and the obvious first course of action if available. You can also manually check a few things.
You can check the system registry and see if some things are out of whack there. Navigate and execute the registry panel:
CTRL + ESC or the Windows key
Execute: cmd (Command Prompt) or PowerShell
Execute: regedit.exe from the command line
Don't ask Cortana anything, she won't know a damn thing.
From the registry navigate to these keys:
%AppData%\Blizzard\Hearthstone.exe<//br> %User’s Profile%\Application Data\hearthstone\updater.exe
If you have these entries you might have the virus and removal is required immediately.
How To Remove
Again ... run your anti-virus scan and that may be able to detect the bug and quarantine it if your definitions are up to date. Since the virus was detected months ago, some of these should have definitions for defense available, but these are mainly preventative.
If you don't shave one of these installed which likely might be the case if you have this virus, go get one. Use the Google apparatus to locate one of these binaries and give it a spin.
The most likely candidate for automatic removal are going to be Norton's Power Eraser tool and MalwareBytes also claims to have a canned solution. There are several others that are less known (and less trusted so be careful) but you never know what your downloading with the smaller tools since some of them are viruses themselves. Best bet is to stick with Norton's or try one of the manual solutions.
For either of these solutions you are going to want to close everything and reboot. Upon boot hit the F8 key and select the Safe Mode with Networking option.
This will take a longer period of time to boot which is normal. Once up and running you may need to kill the explorer.exe service from the task manager but you should be able to run one of the aforementioned solutions with the best chance of success in this environment.
This is also where you may decide to go with a manual or more certain solution.
There are three options to remove this manually. Restore or reinstall the operating system (best chance of complete success).
Make sure you have backed up all of your important files before you go this route. If you system is already infected you can still back these files up but there's no guarantee that you won't be reinfected instantly.
Method 0: Nit pick
You can go through the registry and remove the keys. Remove anything from the startup that you are unfamiliar with, and remove any references to binary executables you find in the registry being referenced. Where as this method is possible its not recommended unless ou really know what you are doing and even then its not a 100% . This is why I said there were two ways and not three.
Method 1: Restore point
You can restore to a period of time before you were infected. This may work but it also is not 100%.
1. Go to the Start menu or press CTRL + ESC
2. For Windows 10 use Cortana's input or select run for previous versions and enter:
Then the Enter key.
3. From the Control Panel and find "Recovery"
4. Select Recovery > Open System Restore > Next.
5. Choose the restore point related and select Next > Finish
Reinstall WIndows from the boot DVD and make sure you select the option to remove all files form the drive is wiped and reformatted.
This method has the highest chance for success.
On a final note, if you were one of the BitPay victims, reporting the issue to them certainly raises awareness, but unfortunately there is little they can do and its not their fault, after all they did exactly what you told them to do and the blockchain doesn't lie.
They can certainly sympathize with you... after all remember this (bitpay article) once happened.
Report by dinbits
Image by dinbits.com staff