Every lobby is “hacked” blud

The !ml indicates the signature is based on machine learning.
It's highly probable the detection was a false positive.
If anyone gets the same issue again, please make a copy of the file and upload it somewhere, I can disassemble it and finally understand what's going on.

It is indeed not part of the default installation.
Robert, did you delete the file already? Sent you a friend request.
It seems you could remediate by setting the Powershell execution policy to AllSigned.

I can see strings:
Worm deactivated by control server.
Worm failed to retrieve data from the control server.
Worm killed by control server.
Worm up to date.
wormStatus infected %s
Unsupported Windows version (tf?)
User was randomly selected to be a spreader in modded lobbies.
User was selected to be a host/ignore modded lobbies/join unmodded lobbies only
username=%s&steamID=%lld&cpu=%s&gpu=%s&winver=%s

The "tf?" proably means "what the f**k?".
Seems this stuff has been coded specifically for COD MW2

The address could also just be some random file sharing site.

The dll seems to check for custom lobbies and prevent you from joining/hosting one.

It also spreads itself through rce and prevents any rce from happening on the host.

And this issue is exactly why Labs was made, to make sure players don't get hacked or ddossed. But since Activision killed XLabs, we're forced to use their broken servers.

Try taking a dewormer... Works on my dogs.... May be helpful for you too

Well look at that, you guys made enough public outcry and now they’re taking the worm out

โพสต์ดั้งเดิมโดย TRethehedgehog:

Well look at that, you guys made enough public outcry and now they’re taking the worm out

We need to make noise about BO2 people!

Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?

โพสต์ดั้งเดิมโดย Frax:

Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?

In the game folder. The ones in System32 are core files that should never be deleted.

โพสต์ดั้งเดิมโดย infrared:

โพสต์ดั้งเดิมโดย Frax:

Is this about the dsound.dll file in the game folder or C:\Windows\System32\dsound.dll ?

In the game folder. The ones in System32 are core files that should never be deleted.

Ok, I deleted the file in the game folder. Is there any information if it could spread to other folders?

โพสต์ดั้งเดิมโดย Frax:

โพสต์ดั้งเดิมโดย infrared:

In the game folder. The ones in System32 are core files that should never be deleted.

Ok, I deleted the file in the game folder. Is there any information if it could spread to other folders?

It's only purpose is, ironically, protection from RCE, so no.

But to be fair, it did have to use RCE to spread itself

But still any antivirus reading is a false positive