Sketchy looking email from nexus

[Higlac]

I got an email from Nexus sent from what looks like a French travel site (terresoubliees.com) via mailjet.com. It links to a download for a .zip of an .exe.

 

The email started setting off alarms because I've never gotten an email from nexusmods, none of the links are in cleartext, and it links directly to a download.

 

I'm not trusting it for now, so I've fired up a virtual machine to investigate. I'll update later after I finish downloading and installing Wine so I can run this .exe in a safe environment.

 

Unless, of course, Nexus sends unsolicited emails from French addresses through a separate company?

 

I'll update after investigation. If an admin/mod wants a copy of the email/download, then please PM me.

 

Edit: Crashes when you try to run it in Wine, brb installing windows VM.

Edited June 9, 2014 by Higlac

[Dark0ne]

We do not send out mass emails to anyone and this most definitely has not come from us. We are investigating it, though this may have some relation to the database hack that occurred several years back where they'll have gained access to the email accounts used at the time. I'm trying to work out when that hack was (by going back through the news until I find it) and whether people who have signed up recently received this email or whether it's only people from that time or before.

[Higlac]

Thanks for the quick response. I've got my VM going now to try to see exactly what this thing does. Let me know if you want the email source.

[Dark0ne]

It's exactly the same malware from the same person who has been uploading malware to the sites.

[Dark0ne]

I believe our database was hacked in 2010 (I thought it was more recently than that but the only news post I can find is from December 2010), and as someone who reported this had an account made in 2011 it seems that's not the plausible avenue for them getting your email address. We have had no database intrusions any time recently, and none that we know of since then. Obviously this is quite disconcerting and we're taking it seriously.

 

The main theory that springs to mind is the Bethesda forum hacking that happened a couple of years back. That hacking was made public and everyone's Bethesda forum account information, including email addresses, was leaked online via P2P networks for anyone to download, see and use as they wished. Are the people receiving these emails registered on the Bethesda forums and, if so, are you using the same email here as you are there (or, if you can remember, from when their database was hacked a couple of years ago)?

[Higlac]

I am not on the Bethesda forums. Also, have there been any other reports of spam?

 

Another edit: From what I'm seeing so far, Superantispyware and Avast are not flagging the downloaded file as a trojan. Malwarebytes, however does. So if you think you may have been hit with it, try malwarebytes first, then hit it with the rest of what you might want to run.

 

What I do to clean PCs:

 

1. Combofix

2. disable system restore

3. Malwarebytes

4. Superantispyware

5. Avast boot-time scan

6. Avast full-system scan

7. re-enable system restore

8. run CCleaner to hit the registry and temp files

9. monitor for suspicious activity

10. If suspicious activity continues/ stuff comes back

a. Run Malwarebytes Anti-Rootkit

b. Continue from step 1.

Edited June 9, 2014 by Higlac

[Dark0ne]

Ok, well that cancels that one.

 

The next link is from the people who have already been hacked. We're wondering if you guys are friends with other Nexus users who might have had you in their address book. It's common practise for "hackers" to take a user's address book and then propagate their viruses by sending them on to friends and family via saved address books.

 

Obviously right now we're worried about how exactly your email was obtained.

[Higlac]

You replied as I was editing. I'll check with my other gaming friends to see if they've been hit with this.

[zwkdiv]

I've had the same dodgy email, I don't think the email addresses were obtained through user's address books because AFAIK my address isn't in anyone else's address book here on the Nexus. My address could be obtained from the readme attached to my download here, but even that is obfusticated and couldn't be obtained via a bot.

[Higlac]

After further scanning and stuff, Avast sees it as a virus only when you try to run it, but not when you try to scan the .zip or .exe.