Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
can you please send name and version of your antivirus?
Hello Aral,
i'm using Kaspersky Anti-Virus 20.0.14.1085.
Regards
we are trying to help you. definitely with your help, we can solve the problem soon. we shared our problem with unity and will share with Kaspersky.
many thanks to you💐
What the game is doing:
Upon launch, the game will extract a DLL that it is manually loading from memory called 'version.dll'. This is fake renamed threading module which is extracted to:
C:\Users\<yourname>\AppData\Local\Temp\version.dll
This file is not just a standard Version information based library, it attempts to connect to the internet AND it restores the Remote Desktop Service permissions on your system to attempt to allow unwanted access to your system:
SessionEnv is the Remote Desktop service on Windows.This is attempting to restore the startup type for that and force-start it.
It then tries to self-install itself as a .NET framework sub-module via the .NET registry under the name 'tlpless.dll'. This gets the install paths to your .NET framework via the keys here:
This DLL also takes ANY command line passed to it and starts it in a silent console window attempting to exploit administrative permissions on your system, if the argument /start is present:
When the tlpless.dll is loaded, it will attempt to check for a valid internet connection via connecting to microsoft.com and google.com. Afterward if valid, it will call a method inside of the tlpless.dll called 'Add':
This will also drop other fake files into your temp folder that mask themselves as .NET related error reporting tools. THESE ARE FAKE. These contain the infected DLLs in their resources.
https://i.imgur.com/AOQCprN.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection
https://i.imgur.com/YLcIk7B.png
Scan: https://www.virustotal.com/gui/file/63ec3ef6eb4e0270e3475b3d4d8c1421275b59f533afc5988b3c25fbd3e0e554/detection
https://i.imgur.com/0gRU1zG.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection
The embedded DLLs are C# loaders that are used to invoke/load other modules. This is half-packed/protected:
https://i.imgur.com/TFvEEMH.png
This method decrypts a hardcoded infected script to exploit the system further.
DO NOT BUY THIS GAME.
DO NOT TRUST THIS GAME.
It is absolutely infected. I am reporting this to Steam as well.
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll
Modules to look for on your system:
- libntsc*.dll
- GNU\\scntlib*.dll
While running, this will attempt to kill any process with the following partial name matches:
- askmgr
- rocessha
- rocexp
- ystemexplore
- anvir
It will try to download data/info from:
- "<removed>/jipperskrippersservice.ru/other/new.html"
- "<removed>/margancherforfun.com/other/new.html"
- "<removed>/cellavillibycurtiz.ru/other/new.html"
It will look for the following information:
- MoreStarsMoreSpace
- MoreStarsMoreSpace!
Then attempt to split and decrypt more files to install on your system to continue infection.
These new files are loaded with a base assumed class via:
}
CompilerResults compilerResults = csharpCodeProvider.CompileAssemblyFromSource(compilerParameters, new string[]
{
code
});
if (compilerResults.Errors.Count == 0)
{
object obj = compilerResults.CompiledAssembly.CreateInstance("MyNewClass");
if (obj != null)
{
return Convert.ToString(obj.GetType().GetMethod("MyMethod").Invoke(obj, null));
}
}
return "dothis";
}[/code]
1. Uninstall the game until this is dealt with, this game is not safe to run.
2. Clear your temp folder entirely.
3. Delete the infected droppers:
- C:/Users/<yourname/AppData/Local/Temp/version.dll
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll
4. Ensure Remote Desktop is disabled on your system:
- See here for more info: https://www.howto-connect.com/enable-disable-remote-desktop-configuration-service-windows-10/
5. Look for any additional instances of 'ntsync.exe' and 'version.dll' you are not familiar with or were created recently when you first/recently launched Naxia. Remove those as well. (Do so with caution, as version.dll can be a legit module for certain applications!)
6. Block all access to the following websites in your hosts file / firewalls:
- jipperskrippersservice [dot] ru
- margancherforfun [dot] com
- cellavillibycurtiz [dot] ru
Hi, thanks for the report, we shared our problem with unity and Kaspersky. we are investigating the problem. because of the current state of the world COVID-19, their response times to reports will be slower as they said.
so please wait, we are working on this issue.
meanwhile, we are trying to build the game on Linux to see what happens. we will share the result with you.
I'm looking at a game called " Streets Ablaze ",
they're an indie company who put out their game for free recently (they used to charge for it) and I'm a bit paranoid about if it has any kind of virus attached to it,
how exactly does a person do a virus check on something from steam?
I heard someone say they put a game through Virus Total but how are you supposed to do that with steam games?
I'd like to play the game I had it on my wishlist before they made it free, but would just like to make sure there's nothing weird attached to it,
cool thanks for any help
In most cases this will never be an issue and things are generally caught pretty fast. However, not all viruses are the same and can be hidden from detection by various means. The infection this game has does just that, to hide itself. Steam does not validate developer files outside of basic scans of the raw files, which does not catch everything.
Which means you are left to deal with whatever the devs push publicly. They are normal files from someone elses machine, so if a dev really wanted, they could easily use Steam as a platform to infect others. (I do not think Naxia is infected intentionally.)
The best means if you are unsure to follow would be to install the game in an isolated environment. Either another computer with limited/no network access or in an isolated VM that is locked down. You can analyze what things are happening, what new files are created, what a process does/accesses on the system etc.
In this case, Naxia is creating the infected version.dll file shortly after launching and playing the initial cutscenes.
( sigh what a world we live in lol..)
Please update the game then tell us the result. thanks for your cooperation.