Despite i see in the options we can add a directory to scan, but the libs get loaded first, no? I added "UserLibs" to the configs and get this for AudioImportLib.dll
[03:01:20.859] [MLVScan] Disabled potentially malicious mod: AudioImportLib.dll [03:01:20.859] [MLVScan] Disabled 1 suspicious mods [03:01:20.861] [MLVScan] ======= DETAILED SCAN REPORT ======= [03:01:20.861] [MLVScan] SUSPICIOUS MOD: AudioImportLib.dll [03:01:20.861] [MLVScan] ------------------------------- [03:01:20.862] [MLVScan] Total suspicious patterns found: 7 [03:01:20.863] [MLVScan] Severity breakdown: [03:01:20.864] [MLVScan] HIGH: 7 issue(s) [03:01:20.864] [MLVScan] ------------------------------- [03:01:20.864] [MLVScan] Suspicious patterns found: [03:01:20.864] [MLVScan] [HIGH] Detected byte array manipulation commonly used to hide and load malicious code. (7 instances) I assumed this file was safe from Thunderstore with over 150k downloads? AudioImportLib - Github
Yes user libs load before plugins & mods so there is no physical way to stop them, other than making a separate loader program, or a fork of MelonLoader. As for AudioImportLib, it is a false positive due to the way it loads audio as bytes. Simply add it to your whitelist, or remove user libs from being scanned since that wont do much anyways. It is encouraged to be extra extra careful installing Plugins as these in theory can make themselves load before MLVScan, as for UserLibs, same story generally, although I am 100% sure if they can actually execute their own functions upon being loaded.
Code on Git don't mean anything really. It's misleading because the build/binaries can be changed and no way of knowing. The audio mod you are talking about, I don't know that is to deep IMO. If there was a mod for that, it should change the Default game songs or at least use the library in the game already. I can not vouche for that mod but I don't trust it because it don't use what is in the game already. I just turn on a playlist and play music that way and leave game audio music down but other stuff normal.
That audio lib is a general mod for unity games and has been up for quite some time with hundreds of thousands of downloads.. as far as binaries being changed, that would create a new hash, you can get the hash from git and match it to what ML is showing.
I think we know we can play our own music, but having custom music in the game means the effects from drugs makes our custom music sound unique based on your player effects, which is pretty trippy :)
@AlabamaHit like the other user said, AudioImportLib is 100% safe, and the reason people have it, is because of another mod I made "BetterJukebox" which adds custom songs to the jukebox.
just flagging that the Mod manager shows as suspicious? https://www.nexusmods.com/schedule1/mods/58?tab=posts strangely, says it disabled the mod, but it worked fine. also, the mod itself seemed legit enough and old/mature enough...
[07:13:37.985] [MLVScan] Disabled potentially malicious mod: LethalLizard.ModManager.dll [07:13:37.986] [MLVScan] Disabled 1 suspicious mods [07:13:37.992] [MLVScan] Suspicious patterns found: [07:13:37.992] [MLVScan] [CRITICAL] Detected Process.Start call which could execute arbitrary programs. (2 instances) [07:13:37.993] [MLVScan]* At: LethalLizard.ModManager.Core.OpenModsFolder:50 [07:13:37.993] [MLVScan]* At: LethalLizard.ModManager.Core.RestartGame:52 [07:13:37.993] [MLVScan] [07:13:37.994] [MLVScan] [CRITICAL] Detected Shell32 API usage. This could be used to execute arbitrary commands. (1 instances) [07:13:37.994] [MLVScan]* At: LethalLizard.ModManager.Core.RestartGame:38
@GreggyF So as for the Mod Manager being flagged, that is because it has functions to open the mods folder, and restart the game, that which uses the same methods to start a process that is commonly used in malware. Nonetheless, it is a false positive, so you can add it to your whitelist. Also as for it saying it disabled the mod but worked fine, do you mean it said it disabled the mod manager but the mod manager still got loaded? If so could you please send me your log file so I can investigate? When testing the mod manager on my game, it did disable the mod manager, and then I was able to close the game, add it to whitelist, and rename it back to .dll, and it worked. My discord is ifbars
@CH053N1 As for it deleting/removing it from the whitelist, make sure you close the game before editing the MelonPreferences.cfg file, as when you close the game, MelonLoader saves the preferences to the file, overwriting it. As long as you add it to the whitelist with the game closed, and save the file, it should work. Below is an example:
@ironcat84 The reason the page only shows those mods, are because those are just another example. By default, MLVScan adds CustomTV and itself to the whitelist. However you can manually add mods to the whitelist by editing MelonPreferences.cfg, and that is what I was making an example of. Everyone should have their own set of whitelisted mods based on what trusted mods they have installed that might be showing as a false positive. The example in the info section is merely just showing you how to add a mod to the whitelisted mods list, users can simply insert the name of their affected mod, which in this case would be LethalLizard.ModManager.dll
Edit: I think I misinterpreted you at first, I have updated the example to be a bit more clear, as well as fixing the missing [] brackets discrepancy, thanks
do you mean it said it disabled the mod manager but the mod manager still got loaded?
Correct-o! As for how the Mod still loaded, might have been either/or:
a) some funky stuff I done with Vortex on my end (my modlist is a sh...tstorm), also, if it matters, I'm running IL2CPP and I had installed ModManager prior to first trying MLVScan...
b) Symlink deployment screwing things around (sigh... dunno why that's the only option for S1) and/or
c) most likely, Vortex kept recreating the Symlink(!) and the actual DLL in the Vortex Mod Staging folder DID NOT get disabled (not sure it's by design) - in fact, the symlink itself was disabled by being renamed to "LethalLizard.ModManager.di" which I guess it would work, but it's so quirky I think it's worth calling it out. Friggin symlinks man....
Sorry bruv, I'm going by memory at this point, I didn't see your reply and lost the Melon log already :(
@GreggyF No worries at all, I appreciate your response, probably something to do with the way Vortex using symlink files. I will look into this ASAP, for the time being, my advice is to stick to manually installed mods for now, unless you are 100% certain the mod you are installing with Vortex is safe. While I can say, from the detection, that the Mod Manager detection seems likely to be a false positive from the way the Mod Manager restarts the game, as with any anti-virus, it can never be perfect, and you should always do your research before installing new mods.
Be aware: The Backpack, AutoSave and most importantly the Increased Stack Limit mods are compromised and should NOT be used. Please see this IMPORTANT video: https://youtu.be/jEnpaxA7ZnA
LMAO! You're, like...an entire month late, my friend. 😂 Do you really think that thousands of ppl have just been downloading Trojan-infected mods for an entire month, without anyone knowing, nor those mods ever being removed? 🤣🤣🤣🤣🤣 Nope! Not the case.
Now, caution is very important when modding, especially with the several infected mods that occasionally pop up in both Nexus & Thunderstore. However, in this particularly mentioned case, it has been resolved a while ago & those mods should be safe now.
In my opinion, the best way to protect yourself from an infected mod is to wait about a day or so before downloading any newly released mod! From what I've observed so far on Nexus over the past few weeks, the mod page of an infected mod is typically removed within 24-48 hours of release.
👍👍👍
So, I'd recommend: - Wait a day before downloading any brand-new mods. - Use this mod to protect yourself, in case you do install an infected mod.
And 99.9% of people will most likely be fine, by following those guidelines.
(There are actually several re-uploads of the UN-infected, safe version of the old Backpack mod. This one is my personal recommendation, and it has also just been updated with more features! 😄 The key point here is that none of the 3 mods you listed have been infected for the past month)
Tbh, sending this message on multiple mod pages is just gonna stoke panic from other similarly uninformed people, like yourself.
To actually help people, it would be better to share actually accurate, up-to-date information about HOW people can protect themselves from the minority of infected mods that may be posted in the FUTURE!
But spreading outdated warnings from mods that were taken down a month ago? You're just gonna make ppl panic for no reason... 😔
can you make your plugin universal for all games with melon loader ? Want to use it for no rest for the wicked, but its only for schedule one
[16:39:54.047] ------------------------------ [16:39:54.048] 'MLVScan v1.5.1' is incompatible: [16:39:54.049] - MLVScan is only compatible with the following Games: [16:39:54.049] - 'Schedule I' by TVGS [16:39:54.049] ------------------------------
I can not believe Nexus is allowing this many viruses on their site for a game. Is there a list of known mods that have/had viruses new users should avoid. i never seen anything like this for a game on nexus mods..
All virus mods get taken down quite quickly, but a website for MLVScan that will also have a database of all virus mods caught by MLVScan, is currently in the works
Totally, yes :) This has been heavily discussed in the S1 modding discord, however, it being open source doesn't change much, since all Schedule 1 mods are made in .NET they can be easily decompiled and viewed in something like dnSpy. Therefore I figured making it open source wouldn't provide too much of a negative, while also providing the mod as a learning resource for others to make their own improved scanners and whatnot. So far there has been 2 virus mods uploaded that I know of, since MLVScan was released, and neither have gotten around MLVScan, also MLVScan covers just about every way you can load an assembly, so it isn't easy to get around even with seeing the source code.
Nonetheless, I already have an entire design document ready to go, for a V2 version of MLVScan, that would be entirely re-coded, closed source, with the release being obfuscated, which would make it much much more difficult for attackers/virus devs to get around :D
Robbery Mod and Toileportation are marked as potentially malicious but noone seems to identify it as a virus on nexus. Can I whitelist these mods somehow/What is your opinion on these mods?
Yes you can whitelist these mods via MelonPreferences, but it will be streamlined in the future Also i'll add those mods to my list of testing
Version 1.1 has just been uploaded, which should fix the false positives on those 2 mods, meaning they will no longer be falsely identified as potential malware
Yeah you can go ahead and whitelist it, that mod is trusted, so long as you are downloading it from the official author on Nexus/TS which I believe goes by something similar to the name "Deej"
It would be truly funny if this mod contains a virus. 🤣🤣 The definition of irony! 😆 That would be absolutely hilarious.
Haha, but seriously this is a neat mod - I'll be giving it a try. I'm hoping this mod can help people from being affected by these stupid viruses plaguing the Schedule 1 modding scene. There was one just yesterday, like the weather mod or whatever. 😔 Ugh.
Haha well, this mod is completely open source on GitHub so, if it did have a virus, it would've already been taken down I know there was a ManorMod virus yesterday, where the manor mod got re-uploaded, didnt see a weather mod though. Nonetheless, this plugin scans for suspicious behavior in mods and other plugins, so it should be able to find most virus mods.
Weather mod got taken down pretty quick, I have the samples if you want them. Would have been killed off by the Shell32 rule, progressed to XWorm but I also nuked a Cloudflare worker that it was using so it's pretty dead now.
Hello Umgak, I have some suspicions that I am infected with the weather mod. Could you assist in any guidance towards determining infection and any next steps? Thanks you
Hey tomwaitsalot, Looking over the malware again, it looks like the first hint of infection is a hidden .vbs file located in: C:\ProgramData\toMjspIoPdfZ.vbs This stage is executed every time the PC starts up via a registry key in: HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run According to the script, the name of this key is IKECbUPPeT The data retrieved by this stage is gone due to the shutdown of the Cloudflare worker which was serving it. However, if you ran the mod before 2025-05-12 at 11:42 PM (UTC) then you will have been infected by the XWorm RAT which was being served from that Cloudflare worker.
I haven't extensively researched the RAT itself, and I can't even get it to run in my VM. Looking into it, I don't actually see the usual persistence mechanisms XWorm employs, though it may not just be running successfully since I am in a VM. That said, XWorm does contain keylogging and token stealing capabilities, as well as the ability to execute arbitrary scripts and commands. It's really impossible to be fully certain that it's completely removed, honestly - historically it's had a tendency to drop itself as a file marked as Hidden and System in the %AppData% directory, with startup keys in the same location as shown above as well as a link in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
Also, the RAT spreads via USB drives by replacing all files and folders on the drive with a shortcut (*.lnk) file pointing to itself, named as USB.exe, with commands to install the RAT on the host machine, then retrieve the data the user requested from a hidden folder it creates. I'd honestly recommend wiping any flash drives you've connected to the PC since running the mod by right clicking them in My Computer and selecting Format. Additionally, change the passwords on any services you've logged into since running the mod, any services you were already logged into, and any that have their passwords saved in your browser, as this data can all be stolen via simple exploits.
The RAT seems to have been minimally configured from the basic package that can be bought on the darkweb, it's possible they may have even not added persistence to the RAT itself and relied on the (now dead) Cloudflare worker and VBS startup script. I really can't be certain; the only 100% reliable method is to wipe Windows unfortunately. The malware is capable of executing any arbitrary code the authors want post-infection, and since I don't have a stealthy VM to test it in and I can't really sacrifice my actual box for it I wouldn't be able to find anything spread via such methods. If you want to look around for me, though, try checking in those locations mentioned above and see if anything is actually there. Make sure to enable Show Hidden Files and Folders and disable Hide Protected Operating System Files in Explorer's View menu.
Thanks so much for taking the time here. I downloaded and installed the visual effect mod Monday around 9pm UTC. I have hidden files shown and system files unhidden. I do see the registry entry you referenced and the properties of that entry refer to the same file you mentioned C:\ProgramData\toMjspIoPdfZ.vbsbut when I look there it is not there. Tuesday afternoon I got an alert from malwarebyte about an external communication happening through port 443 to a cloudfare worker at 104.21.77.124. I didn't allow that and I haven't 'seen' anything else, but have noticed some strange behavior, mostly reboots w/o context or cause.
I am seeing an 'account unknown
I'll look into reinstalling windows after work today. If you've the time to discuss sometime over the next few days, I'm tomwaitsalot on discord. Could throw you some support for your help here. Also my apologies to the creator of this mod for hijacking your thread, but I figured it was tangentially relevant to the mod you've created. I can't endorse, mostly because I haven't played this game or used any mods since the malware scare, but this community definitely needs something like this.
@tomwaitsalot Fortunately, that Cloudflare worker is actually completely dead at this point. Cloudflare shut it down only 9 minutes after I reported it, so new infections won't progress past the VBScript stage.
@Yetios that looks to be a different sample, but likely from the same campaign. EDIT: It looks like you had the ManorModPlus version, while I'm looking at the WeatherEffects version. I do also see a write to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hiddenwhich is why it changed your hidden files settings. That change is set to be applied every startup by the VBScript file.
yep i saw reg in windows key and chrome cookies too but no movement.
i have cutted os with some extra powershell scripts and more. i clean my pc few times per day very deep so i think this s#*! can not work on my testing station anyway :D
so here is my log. customtv has plugin for firefox from github. its safe what i know but others idk edit: when i add customtv to whitelist, deleteted manormodplus.dll from mods. and start game again now looks now ok.
[16:04:44.180] [MLVScan] Pre-scanning for malicious mods... [16:04:44.191] [MLVScan] Configuration loaded successfully [16:04:44.196] [MLVScan] Scanning for suspicious mods... [16:04:44.198] [MLVScan] Found 23 potential mod files in Mods [16:04:45.197] [MLVScan] Found 3 potential mod files in Plugins [16:04:45.197] [MLVScan] Skipping whitelisted mod: MLVScan.dll [16:04:45.207] [MLVScan] No suspicious mods found
i knew that manormodplusss thing was fishier than the ocean lol so i avoided it but if i recall correctly it actually was greenlabeled as "safe to use" for a short time correct? if so...how are these things getting past the staff here, getting greenlabeled as safe and then the lovely users here discover it's a nasty piece of code.
obviously this mod will be a godsend but how are these malicious mods being still greenlit...wth lol
@Yetios The Manor Mod, made by ChloeNow is 100% safe: https://www.nexusmods.com/schedule1/mods/646
Yesterday or the day before, there was someone who re-uploaded ChloeNow's ManorMod, with a virus inside it. It has since been taken down.
However, the manor mod you (Yetios) have (based on the pastebin log) seems to be the one with the virus, due to the fact that the ManorMod is calling the Shell32 api from GoldenBricks, which is the GoldenBricks virus that contains a shell executor. I recommend taking the steps given in the scan report, running trust anti-virus, resetting passwords, etc. You 100% have been infected by that one.
77 comments
[02:47:17.021] Loading UserLibs...
[02:47:17.038] ------------------------------
[02:47:17.053] Melon Assembly loaded: '.\UserLibs\AudioImportLib.dll'
[02:47:17.053] SHA256 Hash: '92484FABE1C1F12590112FFCABDEBE5DA6FC23D38A0DFB77DD344589716C50DF'
[02:47:17.053] ------------------------------
[02:47:17.053] 0 UserLibs loaded.
[02:47:17.054] Loading Plugins...
[02:47:17.054] ------------------------------
[02:47:17.066] Melon Assembly loaded: '.\Plugins\MLVScan.MelonLoader.dll'
[02:47:17.066] SHA256 Hash: 'BED23B68988667C4DC9C4ADBA5D01CACDF13E495F5E820889D3EEBD9E53B03FA'
[02:47:17.094] [MLVScan] Pre-scanning for malicious mods...
Despite i see in the options we can add a directory to scan, but the libs get loaded first, no?
I added "UserLibs" to the configs and get this for AudioImportLib.dll
[03:01:20.859] [MLVScan] Disabled potentially malicious mod: AudioImportLib.dll
I assumed this file was safe from Thunderstore with over 150k downloads? AudioImportLib - Github[03:01:20.859] [MLVScan] Disabled 1 suspicious mods
[03:01:20.861] [MLVScan] ======= DETAILED SCAN REPORT =======
[03:01:20.861] [MLVScan] SUSPICIOUS MOD: AudioImportLib.dll
[03:01:20.861] [MLVScan] -------------------------------
[03:01:20.862] [MLVScan] Total suspicious patterns found: 7
[03:01:20.863] [MLVScan] Severity breakdown:
[03:01:20.864] [MLVScan] HIGH: 7 issue(s)
[03:01:20.864] [MLVScan] -------------------------------
[03:01:20.864] [MLVScan] Suspicious patterns found:
[03:01:20.864] [MLVScan] [HIGH] Detected byte array manipulation commonly used to hide and load malicious code. (7 instances)
The audio mod you are talking about, I don't know that is to deep IMO. If there was a mod for that, it should change the Default game songs or at least use the library in the game already. I can not vouche for that mod but I don't trust it because it don't use what is in the game already. I just turn on a playlist and play music that way and leave game audio music down but other stuff normal.
as far as binaries being changed, that would create a new hash, you can get the hash from git and match it to what ML is showing.
I think we know we can play our own music, but having custom music in the game means the effects from drugs makes our custom music sound unique based on your player effects, which is pretty trippy :)
strangely, says it disabled the mod, but it worked fine. also, the mod itself seemed legit enough and old/mature enough...
[07:13:37.985] [MLVScan] Disabled potentially malicious mod: LethalLizard.ModManager.dll[07:13:37.986] [MLVScan] Disabled 1 suspicious mods
[07:13:37.992] [MLVScan] Suspicious patterns found:
[07:13:37.992] [MLVScan] [CRITICAL] Detected Process.Start call which could execute arbitrary programs. (2 instances)
[07:13:37.993] [MLVScan]* At: LethalLizard.ModManager.Core.OpenModsFolder:50
[07:13:37.993] [MLVScan]* At: LethalLizard.ModManager.Core.RestartGame:52
[07:13:37.993] [MLVScan]
[07:13:37.994] [MLVScan] [CRITICAL] Detected Shell32 API usage. This could be used to execute arbitrary commands. (1 instances)
[07:13:37.994] [MLVScan]* At: LethalLizard.ModManager.Core.RestartGame:38
@CH053N1 As for it deleting/removing it from the whitelist, make sure you close the game before editing the MelonPreferences.cfg file, as when you close the game, MelonLoader saves the preferences to the file, overwriting it. As long as you add it to the whitelist with the game closed, and save the file, it should work. Below is an example:
please update the info page @ Whitelist section.
Infopage:
WhitelistedMods = S1APILoader.dll, S1API.Mono.dll, S1API.Il2Cpp.dll, CustomTV_Mono.dll, CustomTV_IL2CPP.dll
and your example:
WhitelistedMods = [ "MLVScan.dll", "MLVScan.MelonLoader.dll", "CustomTV.dll", "CustomTV_Mono.dll", "CustomTV_IL2CPP.dll",
"LethalLizard.ModManager.dll", ]
so people will be confused, and that's why they ask help whitelisting.
And thumb UP for this tool! :)
Edit: I think I misinterpreted you at first, I have updated the example to be a bit more clear, as well as fixing the missing [] brackets discrepancy, thanks
It will help people, and reducing the whitelist questions.
Thank you!
do you mean it said it disabled the mod manager but the mod manager still got loaded?
Correct-o! As for how the Mod still loaded, might have been either/or:
Sorry bruv, I'm going by memory at this point, I didn't see your reply and lost the Melon log already :(
IMPORTANT video: https://youtu.be/jEnpaxA7ZnA
Do you really think that thousands of ppl have just been downloading Trojan-infected mods for an entire month, without anyone knowing, nor those mods ever being removed? 🤣🤣🤣🤣🤣 Nope! Not the case.
Now, caution is very important when modding, especially with the several infected mods that occasionally pop up in both Nexus & Thunderstore.
However, in this particularly mentioned case, it has been resolved a while ago & those mods should be safe now.
In my opinion, the best way to protect yourself from an infected mod is to wait about a day or so before downloading any newly released mod!
From what I've observed so far on Nexus over the past few weeks, the mod page of an infected mod is typically removed within 24-48 hours of release.
👍👍👍
So, I'd recommend:
- Wait a day before downloading any brand-new mods.
- Use this mod to protect yourself, in case you do install an infected mod.
And 99.9% of people will most likely be fine, by following those guidelines.
(There are actually several re-uploads of the UN-infected, safe version of the old Backpack mod. This one is my personal recommendation, and it has also just been updated with more features! 😄 The key point here is that none of the 3 mods you listed have been infected for the past month)
Tbh, sending this message on multiple mod pages is just gonna stoke panic from other similarly uninformed people, like yourself.
To actually help people, it would be better to share actually accurate, up-to-date information about HOW people can protect themselves from the minority of infected mods that may be posted in the FUTURE!
But spreading outdated warnings from mods that were taken down a month ago?
You're just gonna make ppl panic for no reason... 😔
EDIT:
Please stop trying to spread hysteria from 1-month-old news. 😐
So far, I've seen this message on MLVScan, OG Backpack, Instant Mixing, EnhancedDealers, EnhancedCasino, & Wages App.
Just...WHY
[16:39:54.047] ------------------------------
[16:39:54.048] 'MLVScan v1.5.1' is incompatible:
[16:39:54.049] - MLVScan is only compatible with the following Games:
[16:39:54.049] - 'Schedule I' by TVGS
[16:39:54.049] ------------------------------
Is there a list of known mods that have/had viruses new users should avoid.
i never seen anything like this for a game on nexus mods..
i hear the hackers buy nexus accounts from trusted uploaders at any given time
Nonetheless, I already have an entire design document ready to go, for a V2 version of MLVScan, that would be entirely re-coded, closed source, with the release being obfuscated, which would make it much much more difficult for attackers/virus devs to get around :D
Version 1.1 has just been uploaded, which should fix the false positives on those 2 mods, meaning they will no longer be falsely identified as potential malware
The definition of irony! 😆 That would be absolutely hilarious.
Haha, but seriously this is a neat mod - I'll be giving it a try.
I'm hoping this mod can help people from being affected by these stupid viruses plaguing the Schedule 1 modding scene. There was one just yesterday, like the weather mod or whatever. 😔 Ugh.
Looking over the malware again, it looks like the first hint of infection is a hidden .vbs file located in:
C:\ProgramData\toMjspIoPdfZ.vbs
This stage is executed every time the PC starts up via a registry key in:HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run
According to the script, the name of this key is IKECbUPPeTThe data retrieved by this stage is gone due to the shutdown of the Cloudflare worker which was serving it. However, if you ran the mod before 2025-05-12 at 11:42 PM (UTC) then you will have been infected by the XWorm RAT which was being served from that Cloudflare worker.
I haven't extensively researched the RAT itself, and I can't even get it to run in my VM. Looking into it, I don't actually see the usual persistence mechanisms XWorm employs, though it may not just be running successfully since I am in a VM. That said, XWorm does contain keylogging and token stealing capabilities, as well as the ability to execute arbitrary scripts and commands. It's really impossible to be fully certain that it's completely removed, honestly - historically it's had a tendency to drop itself as a file marked as Hidden and System in the %AppData% directory, with startup keys in the same location as shown above as well as a link in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
Also, the RAT spreads via USB drives by replacing all files and folders on the drive with a shortcut (*.lnk) file pointing to itself, named as USB.exe, with commands to install the RAT on the host machine, then retrieve the data the user requested from a hidden folder it creates. I'd honestly recommend wiping any flash drives you've connected to the PC since running the mod by right clicking them in My Computer and selecting Format. Additionally, change the passwords on any services you've logged into since running the mod, any services you were already logged into, and any that have their passwords saved in your browser, as this data can all be stolen via simple exploits.
The RAT seems to have been minimally configured from the basic package that can be bought on the darkweb, it's possible they may have even not added persistence to the RAT itself and relied on the (now dead) Cloudflare worker and VBS startup script. I really can't be certain; the only 100% reliable method is to wipe Windows unfortunately. The malware is capable of executing any arbitrary code the authors want post-infection, and since I don't have a stealthy VM to test it in and I can't really sacrifice my actual box for it I wouldn't be able to find anything spread via such methods. If you want to look around for me, though, try checking in those locations mentioned above and see if anything is actually there. Make sure to enable Show Hidden Files and Folders and disable Hide Protected Operating System Files in Explorer's View menu.
the malware was :
somehow changed my user perrmision too and hide extra folders :D
Thanks so much for taking the time here. I downloaded and installed the visual effect mod Monday around 9pm UTC. I have hidden files shown and system files unhidden. I do see the registry entry you referenced and the properties of that entry refer to the same file you mentioned
C:\ProgramData\toMjspIoPdfZ.vbsbut when I look there it is not there. Tuesday afternoon I got an alert from malwarebyte about an external communication happening through port 443 to a cloudfare worker at 104.21.77.124. I didn't allow that and I haven't 'seen' anything else, but have noticed some strange behavior, mostly reboots w/o context or cause.I am seeing an 'account unknown
I'll look into reinstalling windows after work today. If you've the time to discuss sometime over the next few days, I'm tomwaitsalot on discord. Could throw you some support for your help here. Also my apologies to the creator of this mod for hijacking your thread, but I figured it was tangentially relevant to the mod you've created. I can't endorse, mostly because I haven't played this game or used any mods since the malware scare, but this community definitely needs something like this.
Anyway, thanks again!
@Yetios that looks to be a different sample, but likely from the same campaign.
EDIT: It looks like you had the ManorModPlus version, while I'm looking at the WeatherEffects version.
I do also see a write to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hiddenwhich is why it changed your hidden files settings. That change is set to be applied every startup by the VBScript file.i have cutted os with some extra powershell scripts and more. i clean my pc few times per day very deep so i think this s#*! can not work on my testing station anyway :D
so here is my log. customtv has plugin for firefox from github. its safe what i know but others idk
edit:
when i add customtv to whitelist, deleteted manormodplus.dll from mods. and start game again
now looks now ok.
[16:04:44.180] [MLVScan] Pre-scanning for malicious mods...
[16:04:44.191] [MLVScan] Configuration loaded successfully
[16:04:44.196] [MLVScan] Scanning for suspicious mods...
[16:04:44.198] [MLVScan] Found 23 potential mod files in Mods
[16:04:45.197] [MLVScan] Found 3 potential mod files in Plugins
[16:04:45.197] [MLVScan] Skipping whitelisted mod: MLVScan.dll
[16:04:45.207] [MLVScan] No suspicious mods found
i can vouch for customTV, it’s good with no virus
obviously this mod will be a godsend but how are these malicious mods being still greenlit...wth lol
Yesterday or the day before, there was someone who re-uploaded ChloeNow's ManorMod, with a virus inside it. It has since been taken down.
However, the manor mod you (Yetios) have (based on the pastebin log) seems to be the one with the virus, due to the fact that the ManorMod is calling the Shell32 api from GoldenBricks, which is the GoldenBricks virus that contains a shell executor. I recommend taking the steps given in the scan report, running trust anti-virus, resetting passwords, etc. You 100% have been infected by that one.
MANORMODPLUS IS GOLDBRIK. BY CHLOE IS OK
im gonna check what the hell he want to do, see u soon :)