Jump to content
Forum Rules
Official Modification Forum Rules
GTAMods Wiki
GRAND THEFT AUTO VI INFODUMP DISCUSSION FORUM - TRAILER, SCREENSHOTS, ARTWORK

Malware inside Angry Planes & Noclip Mod

aboutseven

By aboutseven
in GTA V

 Share

Recommended Posts

Drkz

Drkz

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

 

Don't forgot the tinfoil hat on the way out.

Silent

Silent

Posted
Posted

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

Yeah that's it.

Igor Bogdanoff

Igor Bogdanoff

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

Yeah and legit steam profile with IP is from Denmark 300% R* job.

aboutseven

aboutseven

Posted
  • Author
Posted

Man, I went to bed last night after I posted this with no replies, and then I wake up to see this blown up across the internet. I was really hoping that I was wrong, but looks like I wasn't. I really hope that everyone hit has changed their passwords and that their accounts are safe. I would strongly suggest using something like Keepass from now on. It keeps your passwords in an encrypted database, and sure enough I haven't been hit with any login attempts. Still changing my passwords for the sake of it, might even reinstall Windows soon.

jippa_lippa

jippa_lippa

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

 

Seems a little extreme...possible but extreme...

 

By the way how to check for trainers health in the future?

I really need the Enchanced Native Trainer for my videos, but i don't know how to check its integrity.

Right now the only guy i trust is Alexander ;)

Sergeeeek

Sergeeeek

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

That's just as bad conspiracy theories at this point. I think mod author just wanted to make some quick buck and, due to his stupidity, thought no one would ever notice. f*ck this guy, seriously.

Igor Bogdanoff

Igor Bogdanoff

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

Yeah and legit steam profile with IP is from Denmark 300% R* job.

LoneMerc

LoneMerc

Posted
Posted

 

 

 

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

 

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

 

WTF..

orUPB1k.jpg

 

and suddendly

 

fHg83cI.jpg

 

 

Strange right! I found it around the same time as using noclip and since not using that (only the once) I haven't had another gta5.exe inside my x64 folder...yet

ckck

ckck

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

No... Please... Just stop....

  • gooby, zJordan and Igor Bogdanoff
  • Like 3
LoneMerc

LoneMerc

Posted
Posted (edited)

 

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

Yeah that's it.

 

Damnit. Do you know if there's anything else to now look for? I'm seriously considering a full format at this point just to make sure. When I think of all the PuTTY SSH sessions I've had open this past few days too. Gah.

Edited by LoneMerc
lewistair1

lewistair1

Posted
Posted

Strings from one of the running Twitch module:

 

 

<Module>

yuilgy0y.dll

EntryPoint

Bot

mscorlib

System

Object

_userAgentArray

_targetChannel

Main

.ctor

System.Net

CookieContainer

_cookieContainer

_channel

_randomUrl

_userAgent

Setup

Run

Get

channel

userAgent

url

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

yuilgy0y

Random

Next

System.Threading

ThreadStart

Thread

Start

.cctor

String

ToLower

Concat

Console

WriteLine

Replace

System.Text.RegularExpressions

Regex

Match

Group

get_Success

GroupCollection

get_Groups

get_Item

Capture

get_Value

System.Web

HttpUtility

UrlEncode

RegexOptions

MatchCollection

Matches

get_Count

Int32

Sleep

Contains

WebRequest

Create

HttpWebRequest

set_CookieContainer

set_Timeout

set_ReadWriteTimeout

set_UserAgent

WebHeaderCollection

get_Headers

System.Collections.Specialized

NameValueCollection

Add

set_Referer

WebResponse

GetResponse

HttpWebResponse

System.IO

Stream

GetResponseStream

StreamReader

TextReader

ReadToEnd

Setup failed

Setup OK

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1b2pre) Gecko/20081015 Fennec/1.0a1

Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36

Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

brianthedanishviking

http://api.twitch.tv/api/channels/

/access_token

No access token response

"token":"(.*?)","sig":"(.*?)",

No token match

http://usher.twitch.tv/api/channel/hls/

.m3u8?token=

&sig=

No select response

http(s)?://([\w+?\.\w+])+([a-zA-Z0-9\~\!\@\#\$\%\^\&\*\(\)_\-\=\+\\\/\?\.\:\;\'\,]*)?

No URLs

{0} URLs

Update

#EXT-X-ENDLIST

X-Requested-With

ShockwaveFlash/16.0.0.235

http://www.twitch.tv/

<X W

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

yuilgy0y.dll

LegalCopyright

OriginalFilename

yuilgy0y.dll

ProductVersion

0.0.0.0

Assembly Version

0.0.0.0

!This program cannot be run in DOS mode.

aOU

.text

`.rsrc

@.reloc

p*r

*BSJB

v4.0.30319

#Strings

#US

#GUID

#Blob

 

 

 

Strings from the running Steam Inventory evaluation module:

 

 

<Module>

02bjg5dv.dll

EntryPoint

Response

MemoryReader

ByteArrayRocks

mscorlib

System

Object

Main

Main2

Get

.ctor

System.Net

HttpWebResponse

HttpResponse

ResponseString

BlockSize

CloseHandle

OpenProcess

ReadProcessMemory

_processId

_handle

OpenHandle

System.Collections.Generic

List`1

FindPattern

Empty

Locate

IsMatch

IsEmptyLocate

url

cookie

hObject

processAccess

bInheritHandle

processId

hProcess

lpBaseAddress

buffer

System.Runtime.InteropServices

InAttribute

OutAttribute

size

lpNumberOfBytesRead

MemoryAddress

bytesToRead

bytesRead

pattern

self

candidate

array

position

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

02bjg5dv

ToString

Exception

System.Diagnostics

Process

GetProcessesByName

System.Text

Encoding

get_UTF8

GetBytes

get_Id

Enumerator

GetEnumerator

get_Current

IntPtr

op_Explicit

GetString

Contains

Add

MoveNext

IDisposable

Dispose

get_Count

String

Concat

System.Text.RegularExpressions

Regex

Match

Group

get_Success

GroupCollection

get_Groups

get_Item

Capture

get_Value

Kill

System.Threading

Thread

Sleep

op_Inequality

op_Equality

MatchCollection

Matches

Int32

System.Collections

IEnumerator

WebRequest

Create

HttpWebRequest

WebHeaderCollection

get_Headers

HttpRequestHeader

Set

WebResponse

GetResponse

System.IO

Stream

GetResponseStream

StreamReader

TextReader

ReadToEnd

Close

DllImportAttribute

kernel32.dll

Zero

Byte

ToInt32

ToArray

.cctor

steamwebhelper

No process found

7656119??????????%7c%7c

No logins found

http://steamcommunity.com/home

steamLogin=

g_steamID = "(.*?)";

http://steamcommunity.com/profiles/

/inventory/json/730/2/

No inventory

"market_name":"(.*?)","name_color":"(.*?)","background_color":"(.*?)","type":"(.*?)","tradable":(.*?),

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

02bjg5dv.dll

LegalCopyright

OriginalFilename

02bjg5dv.dll

ProductVersion

0.0.0.0

Assembly Version

 

 

 

 

Strings from the Facebook information stealing module:

 

 

wpcdrdeu.dll

EntryPoint

CookieHelper

CryptProtectPromptFlags

CRYPTPROTECT_PROMPTSTRUCT

DATA_BLOB

SQLiteHandler

record_header_field

sqlite_master_entry

table_entry

mscorlib

System

Object

Enum

ValueType

_currentCookie

Main

HttpGet

.ctor

System.Collections.Generic

List`1

GetCookieList

TryReadCookies

CryptUnprotectData

Decrypt

value__

CRYPTPROTECT_PROMPT_ON_UNPROTECT

CRYPTPROTECT_PROMPT_ON_PROTECT

cbSize

dwPromptFlags

hwndApp

szPrompt

cbData

pbData

db_bytes

encoding

field_names

master_table_entries

page_size

SQLDataTypeSize

table_entries

ConvertToInteger

CVL

GetRowCount

GetTableNames

GetValue

GVL

IsOdd

ReadMasterTable

ReadTable

ReadTableFromOffset

size

type

row_id

item_type

item_name

astable_name

root_num

sql_statement

content

url

allowedNames

browser

file

cookieList

pDataIn

szDataDescr

pOptionalEntropy

pvReserved

pPromptStruct

dwFlags

pDataOut

Datas

baseName

startIndex

Size

endIndex

row_num

field

value

Offset

TableName

System.Runtime.CompilerServices

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

wpcdrdeu

Add

System.Text

StringBuilder

Enumerator

GetEnumerator

get_Current

String

IsNullOrEmpty

System.Text.RegularExpressions

Regex

MatchCollection

Matches

get_Count

Match

get_Item

GroupCollection

get_Groups

Group

Capture

get_Value

Replace

AppendFormat

MoveNext

IDisposable

Dispose

ToString

Exception

System.Net

WebRequest

Create

HttpWebRequest

set_Method

set_AllowAutoRedirect

WebHeaderCollection

get_Headers

System.Collections.Specialized

NameValueCollection

WebResponse

GetResponse

HttpWebResponse

System.IO

Stream

GetResponseStream

Encoding

get_UTF8

StreamReader

TextReader

ReadToEnd

.cctor

Environment

SpecialFolder

GetFolderPath

Path

Combine

Directory

Exists

DirectoryInfo

GetDirectories

FileSystemInfo

get_FullName

File

Console

WriteLine

Empty

ToLower

Contains

get_Length

get_Default

GetBytes

System.Runtime.InteropServices

DllImportAttribute

Crypt32.dll

GCHandle

GCHandleType

Alloc

AddrOfPinnedObject

Free

IntPtr

Zero

Byte

Marshal

Copy

GetString

Substring

FlagsAttribute

StructLayoutAttribute

LayoutKind

<PrivateImplementationDetails>{8BBC7D72-C61E-48B2-B139-18F84516FABA}

CompilerGeneratedAttribute

__StaticArrayInitTypeSize=10

$$method0x6000009-1

RuntimeHelpers

Array

RuntimeFieldHandle

InitializeArray

Microsoft.VisualBasic

FileSystem

OpenMode

OpenAccess

OpenShare

FileOpen

LOF

Strings

Space

FileGet

Int32

FileClose

CompareTo

Decimal

Compare

BitConverter

ToInt64

op_Equality

Microsoft.VisualBasic.CompilerServices

Utils

CopyArray

Convert

ToInt32

Subtract

ToUInt16

ToUInt64

Int64

Math

Round

get_Unicode

get_BigEndianUnicode

Multiply

IndexOf

Char

Split

LTrim

Conversions

c_user

https://m.facebook.com/settings/account/

<br /><span class="(.*?)">(.*?)</span>

@

[{0}] [Alias: {1}] [Email: {2}] [Cookies: {3}] [Language: {4}]

FacebookData

GET

Cookie

Google

Chrome

User Data

Cookies

Mozilla

Firefox

Profiles

cookies.sqlite

moz_cookies

cookies

host

host_key

.facebook.com

name

value

encrypted_value

{0}={1};

SQLite format 3

Not a valid SQLite 3 Database File

Auto-vacuum capable database is not supported

table

UNIQUE

z\V

WrapNonExceptionThrows

_CorDllMain

mscoree.dll

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

wpcdrdeu.dll

LegalCopyright

OriginalFilename

wpcdrdeu.dll

ProductVersion

0.0.0.0

Assembly Version

0.0.0.0

 

 

 

If you have any questions or requests let me know and I'll see if I can figure out more. I don't have a ton of time to spend on it as my lunch break is over.

What should we look for in the registry to be specific?

MarshallRawR

MarshallRawR

Posted
Posted (edited)

The thing, that's where I got my NoClip from

g4SYaGv.jpg

 

Silent, could you please analyze those mods:

http://www.palmbeachgames.com/files/file/3-sapdrapid-response/

https://www.gta5-mods.com/scripts/ambulance-miini-missions

 

Along side NoClip, these are pretty much the only mods I used and I had the Fade and the fake GTA5.exe

Edited by MarshallRawR
ZZCOOL

ZZCOOL

Posted
Posted

I heard the so called modder was apparently a R* games employee trying to shut everyone down on modding the game by making an epic plane mod that had everyone fooled including myself, this incident is to propose a huge impact to warn people modding there game and most importantly turn people away from modding there game completely, now i don't know if i should believe this but looking back at the way R* acted towards the modding community i wouldn't be surprised if this is there retaliation.

they'd make something more epic this was a simple simple simple simple script mod

TrojanNemo

TrojanNemo

Posted
Posted

I think there are two questions that have yet to be answered:

1) Was it every copy of the mod and did it activate for every user, every time?

2) How can you tell if you ever had it when (now) you have no indication anywhere that you got infected?

 

In my case, as I said before, I had used the mod repeatedly and updated it with every update to it. But my AV has nothing in quarantine, I had nothing in my registry, nothing in my temp files, nothing suspicious running. My firewall has no log of anything like what has been mentioned here before.

 

So I wonder if I was infected and it self-destroyed to not leave a trace, or if for some reason, I never got hit in the first place even though I actively used the AngryPlanes mod.

jippa_lippa

jippa_lippa

Posted
Posted (edited)

 

 

 

Interesting! This one is also infected, albeit with a different flavour of the malware! This one downloads GTA5.exe from the internet and executes it. Thus, INFECTED.

 

I wonder if this is what was going on with this inside the /x64 folder of my steam? it got picked up as a virus and deleted. Does anyone else have another GTA5.exe inside a /x64 folder?

 

WTF..

orUPB1k.jpg

 

and suddendly

 

fHg83cI.jpg

 

So basically, I've been infected by both?

Great.

 

 

My Avast locked in quarantine "Fade.exe" the first day i have used it (8th of may) and on the same day, between 10 p.m. and 00 a.m. closed 8 GTA5.exe files in quarantine.

Strange behaviour...my original GTA V.exe has never been deleted though.

What are these fake exes? What's their purpose?

 

By the way how does the virus ACTIVATE?

Is it safe to just move the asi files around? (like saving them in a folder in the data drive)?

Edited by jippa_lippa
LoneMerc

LoneMerc

Posted
Posted (edited)

The thing, that's where I got my NoClip from

g4SYaGv.jpg

 

Silent, could you please analyze those mods:

http://www.palmbeachgames.com/files/file/3-sapdrapid-response/

https://www.gta5-mods.com/scripts/ambulance-miini-missions

 

Along side NoClip, these are pretty much the only mods I used and I had the Fade and the fake GTA5.exe

 

I used that exact same noclip.

 

 

 

24l1y0n.jpg

Edited by LoneMerc
Igor Bogdanoff

Igor Bogdanoff

Posted
Posted (edited)

Can someone if this one https://www.sendspace.com/file/qho05mhas virus too?

Edit: Nope, it should be safe (it's from this thread http://gtaforums.com/topic/792103-noclip/)

Edited by Tomasak
Gamingalkaline

Gamingalkaline

Posted
Posted

I used the Angry Planes mod. I alt+F4'd my game because of the missiles. I check my task manager because the game was running slowly, I see Fade.exe, I open file location, and delete the files the same day I got the mod. No idea if it stole anything but I changed the passwords, and my antivirus never picked it up, but I did.

 

Now my concern is what the f*ck is wrong with people that they'd make a mod that works, only to include a malaware and sh*t in it, like dude, you register on a website that can log your IP when you sign in and upload files.

nkjellman

nkjellman

Posted
Posted

I don't really want to read through 9 pages. Can anyone confirm if any of these mods contain anything?

-Lua script loader

*Enhanced train driver

*IV style enter and exit

-Native Trainer

-Open interiors

-PC Trainer

-11Zero11 trainer.

-Endeavor mod menu.

-IPL loader

-Rare vehicles spawn in SP.

-Heist vehicles spawn naturally in SP.

-Working JB 700.

 

Fortunately, I have not installed the angry planes or the no clip mod.

Gamingalkaline

Gamingalkaline

Posted
Posted

I used the Angry Planes mod. I alt+F4'd my game because of the missiles. I check my task manager because the game was running slowly, I see Fade.exe, I open file location, and delete the files the same day I got the mod. No idea if it stole anything but I changed the passwords, and my antivirus never picked it up, but I did.

 

Now my concern is what the f*ck is wrong with people that they'd make a mod that works, only to include a malaware and sh*t in it, like dude, you register on a website that can log your IP when you sign in and upload files.

Sergeeeek

Sergeeeek

Posted
Posted

So guy who uploaded Angry Planes to gta5-mods.com goes by the name of onsby. There is an account on gtaforums with the same name registered a week ago. They could be different people though, because gtaforums account from Netherlands (if it's anything to go by).

Drkz

Drkz

Posted
Posted

I used the Angry Planes mod. I alt+F4'd my game because of the missiles. I check my task manager because the game was running slowly, I see Fade.exe, I open file location, and delete the files the same day I got the mod. No idea if it stole anything but I changed the passwords, and my antivirus never picked it up, but I did.

 

Now my concern is what the f*ck is wrong with people that they'd make a mod that works, only to include a malaware and sh*t in it, like dude, you register on a website that can log your IP when you sign in and upload files.

 

IP is totally and absolutely meaningless

TJGM

TJGM

Posted
Posted

So guy who uploaded Angry Planes to gta5-mods.com goes by the name of onsby. There is an account on gtaforums with the same name registered a week ago. They could be different people though, because gtaforums account from Netherlands (if it's anything to go by).

IP's were checked, they're the same people.

Igor Bogdanoff

Igor Bogdanoff

Posted
Posted

What will we do? Give criminal complaint (I don't really know how to say this in english)

404UserNotFound

404UserNotFound

Posted
Posted

I saw this being discussed somewhat on the first page, but I'm from the AlliedModders community and on our forums when you add a .sp file as a post attachment, it comes up with two options:

 

Get Plugin

Get Source

 

Get Plugin gets you the compiled .smx file and Get Sourcr gets you the uncompiled .sp file. The forum runs the attached .sp file through the sourcepawn compiler at the time of download and counts every download.

 

It's also against our T&C to upload compiled plugins without the source.

 

The .sp files are completely readable in any notepad program. Our forun also has a New Plugin section and users who are designated as Plugin Approvers. These users know how to spot malicious code and approve good plugins which moves the new plugins thread into the Approved Plugins section.

 

Plugjns that reproduce things in existing plugins, or plugins that no longer work (due to game updates) are usually moved to the Unapproved Plugins section.

 

That setup sounds like what this community needs to prevent the spread of malicious mods.

Snowshoe

Snowshoe

Posted
Posted (edited)

I saw this being discussed somewhat on the first page, but I'm from the AlliedModders community and on our forums when you add a .sp file as a post attachment, it comes up with two options:

 

Get Plugin

Get Source

 

Get Plugin gets you the compiled .smx file and Get Sourcr gets you the uncompiled .sp file. The forum runs the attached .sp file through the sourcepawn compiler at the time of download and counts every download.

 

It's also against our T&C to upload compiled plugins without the source.

 

The .sp files are completely readable in any notepad program. Our forun also has a New Plugin section and users who are designated as Plugin Approvers. These users know how to spot malicious code and approve good plugins which moves the new plugins thread into the Approved Plugins section.

 

Plugjns that reproduce things in existing plugins, or plugins that no longer work (due to game updates) are usually moved to the Unapproved Plugins section.

 

That setup sounds like what this community needs to prevent the spread of malicious mods.

Pawn scripts =/= entire C++ projects/DLLs with numerous source files and dependencies

 

How would this even work? server-side MSVC?

 

It would make sense with CLEO mods possibly but not this.

Edited by Snowshoe
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • 0 User Currently Viewing
    0 members, 0 Anonymous, 0 Guests

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.

  I accept