Malware uploaded to Mod Releases forum

[Minimaul]

Malware was uploaded to the Mod Releases forum today under the name of "Unlimited Homies v1.0 - Recruit unlimited homies!".

We removed the thread less than 10 minutes after it was created, but some users may have downloaded the attached .zip file. The attached file contained an executable file named "Unlimited Homies Installer.exe".

This malware is not currently detected by any anti-virus software that we have tried - we have sent samples off to major vendors and expect it to be added to anti-virus updates soon.

If you downloaded this mod, please ensure you are running an up to date anti-virus scanner and scan your system regularly.

Mods should never need to be distributed as .exe files - if you find a similar file in future please report it to us.

NOTE: There are exceptions to this rule with releases like the Gentlemen of Steelport compilation and the Shiny Clothing mod; both of which include Gibbed's tools in order to build the files dynamically. These releases were developed and tested by trusted members of the community and are virus-checked to ensure your safety.

 

[flarn2006]

Just wondering, what exactly did the malware do? Could I see the original thread, minus of course the malware in question?

 

[Minimaul]

http://www.microsoft.com/security/p...edia/entry.aspx?name=VirTool:MSIL/Injector.CA is the Microsoft virus encyclopaedia entry for it.

I don't really remember what it does now I'm afraid, and we deleted it from the forum so I no longer have a sample. I did work out what it did at the time, though. I seem to think it was to do with injecting malicious MSIL into .net applications.

VirusTotal results: https://www.virustotal.com/en/file/...35fb8d7a3c92cee5f941383d/analysis/1371306093/

 

[Gondar]

Hm. I was wondering if it was a false-positive, but the fact that a large number of assorted scans are turning up that it's a trojan implies it probably was. Although I have seen that turn up false-positive on scanners when there's a trainer involved, they don't like them.

I'm going to guess it was uploaded by some sudden random person who hasn't posted before and likely had no profile set? Ah well. Thanks for keeping us safe!

 

[Arglaar]

 

[Gondar]

Hey, I was curious.
Besides, the last comment was by Minimaul... today.

I know the internet has a fast turnover time for attention, but we're not that bad yet!

 

[Arglaar]

Hey, I was curious.
Besides, the last comment was by Minimaul... today.

I know the internet has a fast turnover time for attention, but we're not that bad yet!

That was aimed more at Flarn than you Gondar.

The original post he replied to was over a year old.

 

[Gondar]

Oh, wow. I misread that as 'May 2013'!

I had been away from the forums for a while, and thought this had suddenly popped up and I missed it, since that'd be just end of last month.

But a year ago? Wow. ..maybe he misread it too?

 

[Minimaul]

Hm. I was wondering if it was a false-positive, but the fact that a large number of assorted scans are turning up that it's a trojan implies it probably was. Although I have seen that turn up false-positive on scanners when there's a trainer involved, they don't like them.

I'm going to guess it was uploaded by some sudden random person who hasn't posted before and likely had no profile set? Ah well. Thanks for keeping us safe!

I actually analysed it myself because at the time nothing detected it. It's definitely malicious - I sent my analysis off to the AV companies when I submitted it as a sample.

 

[Gondar]

Not surprising I suppose. Depressing, but not suprising. I guess it's a sign how large things have been getting.. a few years before people wouldn't have realized there was modding, and then just last year a scammer idiot trying to pass his or her trojan off as an interesting new mod. Well, less a worry since it's a year old now, but.. still depressing to see. I also expect more of that to happen coming up, now that the news is REALLY starting to spread that modding is officially condoned and supported.