Store Page
Wallpaper Engine
All Discussions Screenshots Artwork Broadcasts Videos Workshop News Guides Reviews

Wallpaper Engine

Store Page
View Stats:
Global Achievements
Wallpaper Engine > Problem Solving > Topic Details
PL✰STIC Oct 5, 2017 @ 8:22pm
Wallpaper Came With A Bitcoin Miner to Run In Background...
Picture - https://imgur.com/AHwX7W8
I'm assuming it was from the "web" category. Unfortunately (or fortunately for me) I deleted all my WPs recently, but I just ran a scan in Emsisoft Emergency Kit, and it detected a cache file from inside the WP Engine directories. Opened in Notepad++ and most of it is nonsense (encrypted? I don't know), but it was very clearly NOT a false positive... Any dev have insight into this?

After I saved the image, I saw the bottom links using WSS - Googled & this is websocket and can encrypt data transfers over regular HTTP/HTTPS ports so that vast majority of firewalls wouldn't block it...

Scary stuff. Will prob never use "Application" or "Web" categories again...
< >
Showing 1-7 of 7 comments
Biohazard  [developer] Oct 5, 2017 @ 8:29pm 
Do you still have an idea from which wallpaper/user it came? But I don't know if Valve will act on it, the best I can do myself is removing their uploads.

While this isn't causing any serious harm, it's wasting your CPU, which is ridiculous considering it's running as a wallpaper.
#1
PL✰STIC Oct 6, 2017 @ 2:14am 
Originally posted by Biohazard:
Do you still have an idea from which wallpaper/user it came? But I don't know if Valve will act on it, the best I can do myself is removing their uploads.

While this isn't causing any serious harm, it's wasting your CPU, which is ridiculous considering it's running as a wallpaper.
I asked a more knowledgeable friend if there was another way I could open the cache file so it's not a bunch of NULLs but he had no idea haha... Since that file's creation date was a couple weeks ago, I really couldn't tell you since I tend to get a bunch, try them, unsubscribe or in that ONE CASE (unfortunately) I deleted all the old ones I kept. There's no other way to check?
#2
PL✰STIC Oct 6, 2017 @ 2:15am 
I guess if there's really no way to find who it was, at least people can be told to use EEK to scan whatever drive they installed it to if the same thing is being reproduced and people are wondering where their resources are going?
#3
PL✰STIC Oct 6, 2017 @ 2:19am 
Aaaaand since you're a dev, here's that cache file in case you have ideas - I don't know if it's possible the contents can get messed up through uploads/downloads etc but here ya go ~~~

Mediafire actually just flagged it as a virus once it finished uploading sooo hopefully it's not scarier than I thought originally? Regardless, this is the file:

EDIT: Steam removed the link too haha uhhh it might not let you even download it then? but it's mediafire / file/h7r8gmpam72i3c8/f_000037
Last edited by PL✰STIC; Oct 6, 2017 @ 2:20am
#4
Biohazard  [developer] Oct 6, 2017 @ 5:47am 
Could you perhaps share the wallpaper_engine/config.json file? It might still contain the workshop ID in the recent list. I don't think much could be read from the cache file (also mediafire prevents downloading it too).

Steam just (unfortunately) removes all mediafire links, so that doesn't mean anything. It's really just a simple JavaScript algorithm that eats up CPU to create currency, so it's 'harmless', but putting it in without asking for permission and being upfront about it makes it malware imho.
Last edited by Biohazard; Oct 6, 2017 @ 5:52am
#5
PL✰STIC Oct 6, 2017 @ 6:16am 
Originally posted by Biohazard:
Could you perhaps share the wallpaper_engine/config.json file? It might still contain the workshop ID in the recent list. I don't think much could be read from the cache file (also mediafire prevents downloading it too).

Steam just (unfortunately) removes all mediafire links, so that doesn't mean anything. It's really just a simple JavaScript algorithm that eats up CPU to create currency, so it's 'harmless', but putting it in without asking for permission and being upfront about it makes it malware imho.
Here ya go! Let me know what happens! mediafire *** /file/ccpbrod52cs34ng/config.json
#6
Biohazard  [developer] Oct 6, 2017 @ 11:37am 
Thanks, I found one that had it.

Like I suspected, there was never anything dangerous going on, it was just in bad taste. But I blocked that thing on the beta for all wallpapers that tried to do that: http://steamcommunity.com/app/431960/discussions/2/350544272219415004/
#7
< >
Showing 1-7 of 7 comments
Per page: 1530 50

Wallpaper Engine > Problem Solving > Topic Details
Date Posted: Oct 5, 2017 @ 8:22pm
Posts: 7

Discussions Rules and Guidelines