22 replies to this topic

[archangel73337]

Hello Folks.

I don't know how, but on Nexusmods is uploaded a virus from user Mastaloe - https://www.nexusmod...users/103421908

Be aware to download mods from him!

 

Well, about mod. 

 

Mod link is this - DO NOT DOWNLOAD - https://www.nexusmod...nk2077/mods/271  

 

This file is malware, because after using it, it's create a folder here AppData\Roaming\ (folder name) Up_tmp and there is file, name - svhosts.exe (2.30 MB)? Why there is file, which name like Windows Host process name?

 

 5.PNG   11.33KB   9 downloads   4.PNG   66.52KB   5 downloads

 

After check on virustotal, i got this - https://www.virustot...bc7a0/detection

 

But this is not over.

 

In folder C:\Windows it's also create file, which name is svhosts.exe (6.03 MB)

This exe also create autorun task!

 

 1.PNG   15.33KB   9 downloads

 

 2.PNG   12.19KB   6 downloads

 

 3.PNG   80.29KB   9 downloads

 

 

 

Virustotal check - https://www.virustotal.com/gui/file/0091871c785aecdf02d7021ac5284fe13bcf0aab518bd1b78ed552bcccfbc7a0/detection

 

Please do something with author of this file.

 

By the way, after installing this mod, i got 100% load of GPU, I guess it can be also a miner.

 

Who downloaded this mod, please check your PCs and clean it from this malware.

I already reported about this file to Nexus, but I don't know when they will remove it.

Edited by archangel73337, 17 December 2020 - 09:33 pm.

[Zanderat]

I reported it about an hour ago.  It is still up.

[archangel73337]

Yeah, still up, 629 download, poor people, they even don't know about it.

Thank you for report.

[Zanderat]

In the comments for the real Cyber Config mod, people are also talking about it.  https://www.nexusmod.../183/?tab=posts

[archangel73337]

Some information what is doing this virus, just watch

[hash]
value=91B01D0CE46DACAE91E5B81D6FDB302C
[commentary]
value=Build 17.12.2020
[NameServices]
value=svhost
[ServerHS]
0=194.147.78.156
[mincorecount]
value=2
[mainer_dir]
value=C:\Windows\data\
[DateTime]
InstallSvc=12/17/2020 11:09:49 PM
[mainer_param_str]
value=-a kawpow -o stratum+tcp://rvn.kryptex.network:7000 -u RRrPSJ7C8up3LW8a11jwVNzgqPX7F27AjM.v2d882224b:xxxxxx -long-format
[mainer_exe]
value=svhosts.exe

Also create 2 files.

 

C:\Windows\parameters.ini

C:\Windows\data\svhost.exe

Edited by archangel73337, 17 December 2020 - 09:08 pm.

[archangel73337]

More information about miner operator: https://ipinfo.io/194.147.78.156

[archangel73337]

Also, who downloaded this infected mod, just check your PC using FREE software from Kaspersky, here is link - https://www.kaspersk...us-removal-tool

[andwhat112]

Thanks for all the information. Too bad the "mod" (containing the virus) wasn't removed fast enough. 

[begamerbr]

Hey, i just found the same things on my PC after installing this sh*t, reported also and the mod now is under moderation.

 

I removed all the files, should I do something else ?

[archangel73337]

Hey, i just found the same things on my PC after installing this sh*t, reported also and the mod now is under moderation.

 

I removed all the files, should I do something else ?

 

Also, just check your PC using FREE software from Kaspersky, here is link - https://www.kaspersk...us-removal-tool