Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll
Modules to look for on your system:
- libntsc*.dll
- GNU\\scntlib*.dll
While running, this will attempt to kill any process with the following partial name matches:
- askmgr
- rocessha
- rocexp
- ystemexplore
- anvir
It will try to download data/info from:
- "<removed>/jipperskrippersservice.ru/other/new.html"
- "<removed>/margancherforfun.com/other/new.html"
- "<removed>/cellavillibycurtiz.ru/other/new.html"
It will look for the following information:
- MoreStarsMoreSpace
- MoreStarsMoreSpace!
Then attempt to split and decrypt more files to install on your system to continue infection.
These new files are loaded with a base assumed class via:
}
CompilerResults compilerResults = csharpCodeProvider.CompileAssemblyFromSource(compilerParameters, new string[]
{
code
});
if (compilerResults.Errors.Count == 0)
{
object obj = compilerResults.CompiledAssembly.CreateInstance("MyNewClass");
if (obj != null)
{
return Convert.ToString(obj.GetType().GetMethod("MyMethod").Invoke(obj, null));
}
}
return "dothis";
}[/code]
1. Uninstall the game until this is dealt with, this game is not safe to run.
2. Clear your temp folder entirely.
3. Delete the infected droppers:
- C:/Users/<yourname/AppData/Local/Temp/version.dll
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll
4. Ensure Remote Desktop is disabled on your system:
- See here for more info: https://www.howto-connect.com/enable-disable-remote-desktop-configuration-service-windows-10/
5. Look for any additional instances of 'ntsync.exe' and 'version.dll' you are not familiar with or were created recently when you first/recently launched Naxia. Remove those as well. (Do so with caution, as version.dll can be a legit module for certain applications!)
6. Block all access to the following websites in your hosts file / firewalls:
- jipperskrippersservice [dot] ru
- margancherforfun [dot] com
- cellavillibycurtiz [dot] ru
- C:\Windows\System32\msfte.dll
Please update the game then tell us the result. thanks for your cooperation.
This module contains the default expected data of Unity.DataContract, but also includes an obfuscated infected loader. At runtime, this loader will attempt to decrypt a self-contained resource like this:
The resource is an encrypted, embedded block of Unicode strings that holds all the infection-related data, see here:
https://i.imgur.com/LUPqDkJ.png
As we can see, the expected information I posted above before is all here, with some added info that does not appear to be used all the time.
Firstly, the registry key that is used to tell the infection if the system is currently/already infected is:
HKEY_CURRENT_USER\SOFTWARE\GNU\fver
HKEY_CURRENT_USER\SOFTWARE\GNU\cver
The virus uses this to prevent itself from re-running all the time.
Next is the remote website it uses to ensure you have internet access to continue the infection while executing. It will ping that site to check for internet status.
Next are the various bits of data it uses to locate where to drop files and infect your system:
/Microsoft.NET/Framework/ntsync.exe
/Microsoft.NET/Framework/version.dll
It pulls that data from the registry to get the full path to your .NET install folders as I showed in my previous posts.
Next the other files it tries to drop are in the temp folder which are:
- TPGenLic.dll
- cmst.exe
- version.dll
It will also try to add a scheduled task on the system to continue to re-infect the system under a DiskCleanup fake name. If this is successful in adding itself, it's hidden within:
Microsoft > Windows > DiskCleanup
As a fake task there to execute cmst.exe whenever possible.
This will also try to disable UAC/remove the prompt to prevent itself from being caught running as admin or running an untrusted file via editing the following registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- ConsentPromptBehaviorAdmin
Then the rest of what it does is what I posted above in my previous posts.
This is not the case, and was not directly the dev's fault. Unity has an asset store that allows anyone to upload and sell assets for games to share with other developers. Unity makes it very clear they are not responsible for damage and do not actively scan for infected assets. They go based on a trust/faith based system and report based investigations.
Naxia was using a package that is currently infected, the specific one being:
https://assetstore.unity.com/packages/vfx/particles/spells/mesh-effects-67803
This asset is where the infected file originated from and is bundled into the game when built against it.
Did Naxia developers intentionally infect their game? No.
Did Naxia developers handle this a little poorly? Yes. But the lead dev reached out to me directly and worked with me via Discord to get this resolved so I will say once they took it a bit more serious and understood the issue, they did care and did work to get it fixed with me.
The developer just pushed a new update which fixes this issue and the game, currently, is no longer infected.
As with any game that has a marketplace/asset store (Unity, CryEngine, Unreal) there is always this kind of risk. Naxia is not unique to this kind of infection/attack.