Trojan:Win32 Wacatac.B!ml :: Call of Duty: Modern Warfare 2 (2009)

Store Page

Call of Duty: Modern Warfare 2 (2009) - Multiplayer

All Discussions Screenshots Broadcasts Videos News Guides Reviews

Call of Duty: Modern Warfare 2 (2009) - Multiplayer > General Discussions > Topic Details

Bee

has Call of Duty: Modern Warfare 2 (2009) - Multiplayer

Jun 26, 2023 @ 4:51am

Trojan:Win32 Wacatac.B!ml

make sure you have a virus scanner before using this game, they attack using hacked lobbies. replacing dsound.dll

< >

Showing 16-30 of 67 comments

I^IUHhHHhhHhHhHH² ^B Jul 5, 2023 @ 10:12am

Every lobby is “hacked” blud

#16

lp.edoardo has Call of Duty: Modern Warfare 2 (2009) - Multiplayer

Jul 5, 2023 @ 11:07am

The !ml indicates the signature is based on machine learning.
It's highly probable the detection was a false positive.
If anyone gets the same issue again, please make a copy of the file and upload it somewhere, I can disassemble it and finally understand what's going on.

#17

^5Robert

Jul 6, 2023 @ 1:27pm

This comment is awaiting analysis by our automated content check system. It will be temporarily hidden until we verify that it does not contain harmful content (e.g. links to websites that attempt to steal information).

Last edited by ^5Robert; Jul 6, 2023 @ 1:28pm

#18

lp.edoardo has Call of Duty: Modern Warfare 2 (2009) - Multiplayer

Jul 7, 2023 @ 8:04am

It is indeed not part of the default installation.
Robert, did you delete the file already? Sent you a friend request.
It seems you could remediate by setting the Powershell execution policy to AllSigned.

#19

lp.edoardo has Call of Duty: Modern Warfare 2 (2009) - Multiplayer

Jul 7, 2023 @ 12:55pm

I can see strings:
Worm deactivated by control server.
Worm failed to retrieve data from the control server.
Worm killed by control server.
Worm up to date.
wormStatus infected %s
Unsupported Windows version (tf?)
User was randomly selected to be a spreader in modded lobbies.
User was selected to be a host/ignore modded lobbies/join unmodded lobbies only
username=%s&steamID=%lld&cpu=%s&gpu=%s&winver=%s

The "tf?" proably means "what the f**k?".
Seems this stuff has been coded specifically for COD MW2

#20

^5Robert

Jul 7, 2023 @ 2:27pm

The address could also just be some random file sharing site.

The dll seems to check for custom lobbies and prevent you from joining/hosting one.

It also spreads itself through rce and prevents any rce from happening on the host.

#21

MC Chase

Jul 27, 2023 @ 10:40am

And this issue is exactly why Labs was made, to make sure players don't get hacked or ddossed. But since Activision killed XLabs, we're forced to use their broken servers.

Last edited by MC Chase; Jul 27, 2023 @ 10:40am

#22

The Reaper Jul 27, 2023 @ 2:00pm

Try taking a dewormer... Works on my dogs.... May be helpful for you too

#23

TRethehedgehog has Call of Duty: Modern Warfare 2 (2009) - Multiplayer

Jul 27, 2023 @ 2:15pm

Well look at that, you guys made enough public outcry and now they’re taking the worm out

Last edited by TRethehedgehog; Jul 27, 2023 @ 2:15pm

#24

infrared

Jul 27, 2023 @ 2:53pm

Originally posted by TRethehedgehog:
Well look at that, you guys made enough public outcry and now they’re taking the worm out

We need to make noise about BO2 people!

#25

Frax

Jul 27, 2023 @ 4:36pm

Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?

#26

infrared

Jul 27, 2023 @ 4:47pm

Originally posted by Frax:
Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?

In the game folder. The ones in System32 are core files that should never be deleted.

#27

Frax

Jul 27, 2023 @ 4:58pm

Originally posted by infrared:
Originally posted by Frax:
Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?
In the game folder. The ones in System32 are core files that should never be deleted.

Ok, I deleted the file in the game folder. Is there any information if it could spread to other folders?

#28

infrared

Jul 27, 2023 @ 5:02pm

Originally posted by Frax:
Originally posted by infrared:
In the game folder. The ones in System32 are core files that should never be deleted.
Ok, I deleted the file in the game folder. Is there any information if it could spread to other folders?

It's only purpose is, ironically, protection from RCE, so no.

#29