[Virus] Be Aware from Downloading mod - ConfigOverhaulCyberpunk 2077 by Mastaloe

[archangel73337]

Hello Folks.

I don't know how, but on Nexusmods is uploaded a virus from user Mastaloe - https://www.nexusmods.com/cyberpunk2077/users/103421908

Be aware to download mods from him!

 

Well, about mod.

 

Mod link is this - DO NOT DOWNLOAD - https://www.nexusmods.com/cyberpunk2077/mods/271

 

This file is malware, because after using it, it's create a folder here AppData\Roaming\ (folder name) Up_tmp and there is file, name - svhosts.exe (2.30 MB)? Why there is file, which name like Windows Host process name?

After check on virustotal, i got this - https://www.virustotal.com/gui/file/0091871c785aecdf02d7021ac5284fe13bcf0aab518bd1b78ed552bcccfbc7a0/detection

But this is not over.

In folder C:\Windows it's also create file, which name is svhosts.exe (6.03 MB)

This exe also create autorun task!

Virustotal check - https://www.virustotal.com/gui/file/0091871c785aecdf02d7021ac5284fe13bcf0aab518bd1b78ed552bcccfbc7a0/detection

Please do something with author of this file.

By the way, after installing this mod, i got 100% load of GPU, I guess it can be also a miner.

Who downloaded this mod, please check your PCs and clean it from this malware.

I already reported about this file to Nexus, but I don't know when they will remove it.

Edited December 17, 2020 by archangel73337

[Zanderat]

I reported it about an hour ago. It is still up.

[archangel73337]

Yeah, still up, 629 download, poor people, they even don't know about it.

Thank you for report.

[Zanderat]

In the comments for the real Cyber Config mod, people are also talking about it. https://www.nexusmods.com/cyberpunk2077/mods/183/?tab=posts

[archangel73337]

Some information what is doing this virus, just watch

[hash]
value=91B01D0CE46DACAE91E5B81D6FDB302C
[commentary]
value=Build 17.12.2020
[NameServices]
value=svhost
[ServerHS]
0=194.147.78.156
[mincorecount]
value=2
[mainer_dir]
value=C:\Windows\data\
[DateTime]
InstallSvc=12/17/2020 11:09:49 PM
[mainer_param_str]
value=-a kawpow -o stratum+tcp://rvn.kryptex.network:7000 -u RRrPSJ7C8up3LW8a11jwVNzgqPX7F27AjM.v2d882224b:xxxxxx -long-format
[mainer_exe]
value=svhosts.exe

Also create 2 files.

 

C:\Windows\parameters.ini

C:\Windows\data\svhost.exe

Edited December 17, 2020 by archangel73337

[archangel73337]

More information about miner operator: https://ipinfo.io/194.147.78.156

[archangel73337]

Also, who downloaded this infected mod, just check your PC using FREE software from Kaspersky, here is link - https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool

[andwhat112]

Thanks for all the information. Too bad the "mod" (containing the virus) wasn't removed fast enough.

[begamerbr]

Hey, i just found the same things on my PC after installing this sh*t, reported also and the mod now is under moderation.

 

I removed all the files, should I do something else ?

[archangel73337]

Hey, i just found the same things on my PC after installing this sh*t, reported also and the mod now is under moderation.

 

I removed all the files, should I do something else ?

 

Also, just check your PC using FREE software from Kaspersky, here is link - https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool