Malware inside Angry Planes & Noclip Mod

[GRANDHEIST]

So who was the fu***** c*** who did this?

[Zhuocheng Tan]

Is system restore just as effective compared to reformatting

[master131]

So I analysed the sample @MarshallRawR sent. The first couple of layers have the exact same name as my previous analysis but do differ in hash and bytes (mostly likely reobfuscated). This is probably because it was compiled/created 1 day later than the other one I looked at. However, the final Fade executable at the very last layer is identical to the one in the previous analysis (same MD5: 1F3B946A850F0D7DF56FA85E5E14BD64).

 

Huh, I was trying to get the file uploaded, ESET obviously
locked the file before I could, but surprisingly it changed of detection type.

They probably added their detection definitions. Stimilik is the name they use for Steam related trojans.

How long does urlmon cache the downloaded files in the folder for? Would it be worth it for infected users to clean this folder or does it pose no threat?

Not sure, I'm not familiar with urlmon's caching system. If it's there it probably can't do anything, but it doesn't hurt to delete it.

 

We are disabling the domains as we are informed of them.

 

We have dealt with

 

acrypt.duckdns.org

hop.duckdns.org

nop.duckdns.org

 

Cheers.

Edited May 16, 2015 by master131

[monster875.]

@StevenHarperUK

 

sounds good hopefully those morons can be taken all down

[TDO]

Just one question: The main problems are ASI mods, where the ASI Loader (Script Hook V) is needed to make them work. So, wouldn't it be a good idea, to change the code of this ASI-Loader and remove the posibility of downloading / executing exe files / uploading and change the directory to something else than the GTA V dir? Is this spossible? Or if the ASI Loader can't prevent such activities, can it be monitored by the loader and stop the script, when it is trying to do something like this?

[MarshallRawR]

Seems like these DNS are indeed down.
Great job, so far the infection is technically killed.

Edited May 16, 2015 by MarshallRawR

[Silent]

Just one question: The main problems are ASI mods, where the ASI Loader (Script Hook V) is needed to make them work. So, wouldn't it be a good idea, to change the code of this ASI-Loader and remove the posibility of downloading / executing exe files / uploading and change the directory to something else than the GTA V dir? Is this spossible? Or if the ASI Loader can't prevent such activities, can it be monitored by the loader and stop the script, when it is trying to do something like this?

Unlikely. ASI loader literally LoadLibrary's *.asi files.

[TDO]

And what about the Script Hook V SDK? Is it possible to prevent such activities already during programming/compiling such mods?

Edited May 16, 2015 by TDO

[Liolix]

Saw this post on Reddit about a cleaned up version of Angry Planes:

http://www.reddit.com/r/GrandTheftAutoV_PC/comments/36279w/cleaned_up_version_of_the_angry_planes_mod_info/

 

Is anyone able to test it an confirm whether it's clean?

 

Many thanks

[Silent]

And what about the Script Hook V SDK? Is it possible to prevent such activities already during programming/compiling such mods?

It's native code, so any sort of such security would in practice be equal to reinventing an antivirus.

[ffzero58]

Is system restore just as effective compared to reformatting

It was the intent. However, some viruses can infect the restore files and continue the spread. Not saying this infection does this but why take the chance.

 

http://superuser.com/questions/201468/can-system-restore-remove-virus-from-the-computer

 

I can tell you are trying NOT to put in some effort to fully clean your PC. I can understand. Really, take some responsibility.

[rappo]

Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook?

[Smiley992]

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

[masterjedi343]

Glad I didn't download this mod. Will there be an actual safe version of Angry planes at some point?

[Smiley992]

Glad I didn't download this mod. Will there be an actual safe version of Angry planes at some point?

i guess so,

[G0nx4]

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

[Cazomino05]

To clarify some confusion asi files are for some reason renamed (compiled C++) dll files.

 

They currently execute at the lowest level your computer can process and no protection exists beyond your existing antivirus and anti-malware software - which in this case didn't appear to catch it due to the encryption used obfuscating the intentions of the "mod".

 

Any C# or C++ mods have full and unrestricted access to the system as any game, program or virus written in that language would.

Edited May 16, 2015 by Cazomino05

[Smiley992]

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

 

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

You are welcome sir and i am always happy to help. And by the way make sure you always run a Strong Firewall

Edited May 16, 2015 by Smiley992

[G0nx4]

 

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

 

 

Hello, Guys and i just wanted to tell you about some helpful tips to know if you are still hacked by The Keylogger,

 

So,

 

First Open up CMD and Write:

 

net user

 

What net user does is tells you how many people are connected in on your pc, if it's writes your pc name only, it's means you are safe, if it's gives another name, there is a big chance that you still hacked.

 

and another thing is useful as well, for example This program Called (ApateDNS)

Just Search ApateDNS On google

 

So all you have to do is open ApateDNS As Administartor and Click Start Server , if you Recieve any Domains While you didn't open any website or other programs there is a big chance, you still been hacked..

 

And Just an Advice, use a Program Called,

 

KeyScramble Which Encrypts every Thing you Write on your Keyboard and Send it False to The keylogger it's really a Useful program.

 

 

i Hope i Helped, It's not That good but i hope it's a Useful Tips Thanks For Reading in that little voice in your Brain

 

Thank you, I wrote net user and the only name that showed up on user accounts was my PC Name. I feel a lot safer now. Thank you ))))))

 

You are welcome sir and i am always happy to help. And by the way make sure you always run a Strong Firewall

 

Do you recommend me to pay for avast? Because it has interesting features like firewall, sandbox mode, etc.

[cp702]

 

 

Though MD5 collisions have been demonstrated to be possible, actually doing so in practice would require a supercomputer and several decades at the minimum. Probably not something that the malware author (who is injecting his malware into a video game trainer) has the perseverance to carry out. Having said that, there is no sane reason to still be using MD5 checksums. Use SHA-1 and avoid the issue altogether.

 

 

No, it's SHA-1 which has been cracked but has not had a collision generated yet. MD5 is utterly broken; this guy managed to create a chosen-prefix collision between two fixed images in 10 hours of AWS time (costing under a dollar). SHA-1 should *also* not be used in new applications, because although its break is theoretical at this point it is broken. The correct checksum to use is a SHA-2 family hash (like SHA-256) or SHA-3; probably SHA-256, since that's really well supported. Do not use MD5 for any application that collision-resistance matters for, like this one.

 

 

 

Hey Silent, do you have any tips on how to check pre-compiled .dll files, which are used for the .NET Script Hook?

 

Can you not just decompile them?

Edited May 16, 2015 by cp702

[MarshallRawR]

All this sh*t made me paranoid now.
Look at this, I'd love to try this mod, but how do I know?

http://gtaforums.com/topic/794751-vwip-vigilante-mod

Hell, I even played another mod from this guy and it seemed fine. sh*t makes you paranoid, is swear.

Edited May 16, 2015 by MarshallRawR

[Eagle1001]

I just have two questions, if I had 3 session files starting from 13th may is it possible that I didn't have any other? As I downloaded the mod earlier then that but I only saw those files.

[Ursus]

I'm not infected.

I dont have the Angry Planes mod, but I have the Noclip mod (Date installed: May 3.).

The Noclip mod I have is the one that uses numpad 0+1,

and has this readme.txt included:

 

Controls:

- NUMPAD0 to enable/disable noclip

- NUMPAD1 to modify speed (normal or super)

- W to move forwards, S to move backwards

- A to rotate left, D to rotate right

- LSHIFT to move up, LCTRL to move down

Custom activation/speed key:

- Edit the settings file called Noclip.ini and modify the numeric values

- List of keycodes can be found here: http://www.kbdedit.com/manual/low_level_vk_list.html

- For example, NUMPAD0 is 0x60 and NUMPAD1 is 0x61

Known bugs:

- Noclipping into other vehicles might make the other vehicle disappear

- Long shadows don't seem to work while noclip is enabled

Install:

- Script Hook V must be installed

- Put Noclip.asi and Noclip.ini in your root GTA V folder (i.e. the folder where the script hook is installed)

 

 

 

[MarshallRawR]

I'm not infected.

I dont have the Angry Planes mod, but I have the Noclip mod (Date installed: May 3.).

The Noclip mod I have is the one that uses numpad 0+1,

and has this readme.txt included:

 

Controls:

- NUMPAD0 to enable/disable noclip

- NUMPAD1 to modify speed (normal or super)

- W to move forwards, S to move backwards

- A to rotate left, D to rotate right

- LSHIFT to move up, LCTRL to move down

Custom activation/speed key:

- Edit the settings file called Noclip.ini and modify the numeric values

- List of keycodes can be found here: http://www.kbdedit.com/manual/low_level_vk_list.html

- For example, NUMPAD0 is 0x60 and NUMPAD1 is 0x61

Known bugs:

- Noclipping into other vehicles might make the other vehicle disappear

- Long shadows don't seem to work while noclip is enabled

Install:

- Script Hook V must be installed

- Put Noclip.asi and Noclip.ini in your root GTA V folder (i.e. the folder where the script hook is installed)

 

 

 

 

That's the same text in the readme from the infected NoClip I had.

[dgraham1284]

Wrong, windows firewall is essentially useless. You need router level firewall integration and a person who knows what they are doing. Even then, given the complexity of this, that may not be enough.

[ZS GTA]

i use norton and that is VERY GOOD at detecting viruses and i pay nothing for it

1) Just download the original 30 day's trial from norton website and install it

2) Then after create a fake account for norton

3) Download norton trial re-setter from here (http://www.mediafire.com/download/8fgpo0l69op0jf6/Norton+Trial+Reset+2015+All+Version.rar) it is not detected as a virus by the norton trial which is just the full thing but lasts 30 days

4) Type MSCONFIG in start menu or in the charms bar for windows 8

5) Go to the Boot tab and click safe boot it tells you to restart then restart

6) once restarted log in and open the trial re-setter and click reset/convert it resets the free trial and converts to 180 days (about 1/2 a year) use it again when norton has less than 30 days left norton updates when you run a scan or when you click update in the settings i have been using this for over 2 years and it still works the way it works is i think it refreshes norton's data

R☆™

Edited May 16, 2015 by ZS GTA

[FlyingAce]

Hey Im Worried about Sonic boom mod and innerforce mod

how come it doesnt want to load through a mod manager? it preforms a check, it looks like to see if it's being run through the main directory or not

 

local sonicboom = {}
local mod = false
local mod_toggle = false

function sonicboom.unload()

 

Bit shady?????? almost as if it doesn't want the mod to run through a mod manager that blocks the firewall hmmmmm

 

THOUGH I COULD BE COMPLETELY MISSUNDERSTANDING THIS

 

but its true both mods DONT work in the game when using a manager and this is what shows up in both of them.

Edited May 16, 2015 by FlyingAce

[jippa_lippa]

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on the same computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely (i suffer from MILD anxiety).

Thank you so much for understanding, i really appreciate it

Edited May 16, 2015 by jippa_lippa

[G0nx4]

Guys i know it sounds stupid and i already had one answer, but i'm really scared and i need at least an other person's point of view on 2 questions.

 

1- I have both Windows and Mac Os x on my computer (on different drives). I can format windows but formatting the mac would be a true pain...has this virus even got a a 1% chance of working inside OS X, or am i safe keeping my MAC HD non formatted? (note i used the mac to backup savegames after i MIGHT have been hit by the virus)

2- Is it safe to backup and restore savegames, or might the Rockstar Games folder inside documents be linked to the virus?

 

I know i'm paranoid, mad, and whiny...but i'm utterly terrified by viruses and i need an answer on those 2 questions before i can sleep safely. (i suffer from mile anxiety)

Thank you so much for understanding, i really appreciate it

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

[jippa_lippa]

 

- cut -

Don't format, you will be wasting your time. Just follow the guide and scan with an antivirus.

 

 

I have been formatting my PC twice a month for years, i'm used to it...it doesn't bother me.

 

I only (desperately) need a trusty answer to those 2 questions.

Thanks for the concern, by the way.

Edited May 16, 2015 by jippa_lippa