1. Post #1
    SaintSin6's Avatar
    June 2013
    225 Posts
    While playing on my garrysmod server today I received a request from windows to use the cmd prompt. Everyone on my server at the got the same request from a suspicious .exe in c\programdata\{temp folder}\dcomuti.exe
    https://www.virustotal.com/en/file/b...is/1390266885/


    Moments later my antivirus quarantined a suspicious file in garrysmod/data called kim.txt when opened it looks like this
    [Larger Image]
    http://puu.sh/6sqjE.png

    There was also a oddly named folder, inside containing kim_win32.dll




    I have moved all files onto an usb for now, but I am getting non stop trojan reports.
    Especially from kim.txt


    I was asked to create this thread to generate some publicity to the problem of getting infected through Garrysmod. Here is a link to the help thread I initially created http://facepunch.com/showthread.php?t=1351705
    After speaking to a few Facepunch community members they believe this is the same gmod virus from before.

    Be sure to look for these files and run a few scans to be safe.


    Link (Having issues with kim.txt looking to get another copy)
    https://www.dropbox.com/sh/n371h11smiii0iv/X34cjnw84b
    https://mega.co.nz/#!F1ljSIYJ!HViAQj...UsYw4qDZ0VbCKk - Steam\Appcache\Httpcache\40\(filename)

    Watch for:
    kim.txt
    kim_win32.dll
    dcomuti.exe
    ngov.txt


    Also:
    Reply With Quote Edit / Delete Show Events Informative Informative x 32Late Late x 1 (list)

  2. Post #2
    Dennab
    January 2013
    3,709 Posts
    Can you upload the files to a safe spot I can sift them better that way
    Reply With Quote Edit / Delete Windows 7 United States Show Events Friendly Friendly x 1Informative Informative x 1 (list)

  3. Post #3
    8==== ===== ===== ===== ===D
    Dennab
    April 2008
    4,831 Posts
    shoot you weren't supposed to find out about my trojan
    Reply With Quote Edit / Delete Windows 7 United States Show Events Funny x 15Dumb x 6Zing x 2Agree x 1Winner x 1Late x 1 (list)

  4. Post #4
    SaintSin6's Avatar
    June 2013
    225 Posts
    Just added the link to the first post going to try and keep everything there. I am having issues with kim.txt and will try and get another copy of it.
    Reply With Quote Edit / Delete Windows 7 Canada Show Events

  5. Post #5
    Gold Member
    ExtReMLapin's Avatar
    February 2012
    1,176 Posts


    Code:
    D:\gmod\example\lib\windows\gm_ngov.pdb
    gm_ngov ?
    Reply With Quote Edit / Delete France Show Events

  6. Post #6
    SaintSin6's Avatar
    June 2013
    225 Posts
    I do recall seeing a ngov.txt file, but it was 0b
    Reply With Quote Edit / Delete Windows 7 Canada Show Events

  7. Post #7
    Gold Member
    Svenskunganka's Avatar
    September 2011
    1,806 Posts
    gm_ngov appears in the .dll aswell;



    Edited:

    This needs to get fixed, all players on that server got infected with trojans. This is a very serious exploit.
    Imagine the things hackers can do with this. Create slaves for botnets, installing keyloggers.
    Reply With Quote Edit / Delete Windows 7 Sweden Show Events Agree Agree x 12 (list)

  8. Post #8
    SaintSin6's Avatar
    June 2013
    225 Posts
    Im working to get a kim.txt file for you guys, that file makes my antivirus go a little crazy with malicous reports and trojans.
    Reply With Quote Edit / Delete Canada Show Events

  9. Post #9
    Gold Member

    March 2012
    1,947 Posts
    That txt looks like some executable in txt format. Would make sense since GMod allows txt file saving but how it got saved (RCon exploit?), as well as how it got executed remains a mystery.
    Reply With Quote Edit / Delete Mac United Kingdom Show Events Agree Agree x 5 (list)

  10. Post #10
    Gold Member
    ExtReMLapin's Avatar
    February 2012
    1,176 Posts
    That txt looks like some executable in txt format. Would make sense since GMod allows txt file saving but how it got saved (RCon exploit?), as well as how it got executed remains a mystery.



    Most of the Executables have "MZ" at the start, this one too, so yes, this txt file was converted into an exe.

    The question is "HOW ???"
    Reply With Quote Edit / Delete Show Events Agree Agree x 1 (list)

  11. Post #11
    Effektiv's Avatar
    April 2013
    285 Posts
    Have you been able to pin down how you got this in the first place? You say you were playing on your server and all the players on it also appeared to have received the same attempt to launch cmd? I'm not trying to suggest you had any part in it or anything just seems unusual that everyone would have exactly the same files that came to life while on your server.

    What addons, workshop or otherwise do you use? Or maybe we are looking at that scumbag steam browser again.
    Reply With Quote Edit / Delete Anonymous Proxy Show Events Disagree Disagree x 1Agree Agree x 1 (list)

  12. Post #12
    Gold Member
    Svenskunganka's Avatar
    September 2011
    1,806 Posts
    Have you been able to pin down how you got this in the first place? You say you were playing on your server and all the players on it also appeared to have received the same attempt to launch cmd? I'm not trying to suggest you had any part in it or anything just seems unusual that everyone would have exactly the same files that came to life while on your server.

    What addons, workshop or otherwise do you use? Or maybe we are looking at that scumbag steam browser again.
    This doesn't have anything to do with his server in particular as this exploit has been posted before http://facepunch.com/showthread.php?t=1330836

    Also, NFO is hosting his server so he has no access to change any binaries to make such an exploit available.
    Reply With Quote Edit / Delete Windows 7 Sweden Show Events

  13. Post #13
    Effektiv's Avatar
    April 2013
    285 Posts
    This doesn't have anything to do with his server in particular as this exploit has been posted before http://facepunch.com/showthread.php?t=1330836

    Also, NFO is hosting his server so he has no access to change any binaries to make such an exploit available.
    Yes i'm fully aware of the exploit and the fact there was no need to be concerned as there was no known way to change txts to exe.

    If it has nothing to do with his server, everyone on his server just so happened to visit the same server recently to acquire these files then. That's if everyone on his server having a CMD role up at the same time is simply coincidence.
    Reply With Quote Edit / Delete Anonymous Proxy Show Events Disagree Disagree x 1 (list)

  14. Post #14
    Squerl101's Avatar
    July 2011
    402 Posts
    I didn't even know it was possible to get viruses through Garry's Mod.
    Reply With Quote Edit / Delete Windows 7 United States Show Events Dumb Dumb x 4Late Late x 3 (list)

  15. Post #15
    Gold Member
    Svenskunganka's Avatar
    September 2011
    1,806 Posts
    Yes i'm fully aware of the exploit and the fact there was no need to be concerned as there was no known way to change txts to exe.

    If it has nothing to do with his server, everyone on his server just so happened to visit the same server recently to acquire these files then. That's if everyone on his server having a CMD role up at the same time is no simple coincidence.
    You don't get the whole picture, SRCDS itself are not coded in a way to distribute .dll's and .exe's. The Lua engine is at fault here because I have never seen anything like this over at srcds.com's forums.

    I am almost a 100% sure this is not the server's fault. The only thing the server is contributing to this exploit is gathering people for mass distribution. I don't believe the server itself distributes those files, but simply one person figured out a way to execute a client-side lua on another player that somehow downloads that .txt file, constructs the virus out of it and compiles it and then for the final blow; executes it.

    That's how I think the exploit works.

    It's even possible to tell a SQL server to construct a program through the only language the SQL server speaks; SQL statements. So why wouldn't this be possible?

    I didn't even know it was possible to get viruses through Garry's Mod.
    Well, it looks like it is.
    Reply With Quote Edit / Delete Windows 7 Sweden Show Events Disagree Disagree x 1Funny Funny x 1 (list)

  16. Post #16
    Gold Member

    March 2012
    1,947 Posts
    Just to double check, are you using any binary modules (ones that go into lua/bin)?
    Reply With Quote Edit / Delete Mac United Kingdom Show Events

  17. Post #17
    SaintSin6's Avatar
    June 2013
    225 Posts
    gmsv_mysqloo_win32.dll would be the only module that I've added to the server.
    Reply With Quote Edit / Delete Windows 7 Canada Show Events Funny Funny x 1 (list)

  18. Post #18
    Gold Member

    March 2012
    1,947 Posts
    Unless there is an exploit in MySQLOO (which I doubt), then it won't be that.
    Reply With Quote Edit / Delete Mac United Kingdom Show Events

  19. Post #19
    Gold Member
    dingusnin's Avatar
    February 2010
    2,145 Posts
    If you run the exe, it moves it's self to
    Code:
    C:\{$5002-5679-2528-4621$}
    And sets it's self to load on started.
    As far as the gm_gnov dll, All I know is that is makes a copy of all the Lua usedata tables.

    This is what the exe extracts:
    https://www.dropbox.com/s/6s6owo012er0z13/512706380.exe
    It's a MSDOC COM file.
    Reply With Quote Edit / Delete Windows 8 France Show Events Dumb Dumb x 2Informative Informative x 1 (list)

  20. Post #20
    Gold Member
    Silentfood's Avatar
    November 2009
    1,014 Posts
    Had this virus on my computer a few weeks back, the files install via a client dll file that manages to execute from a file within your data. On running the malicious code, UAC will alert that CMD wants administrative access. The command line is a VB script running within ProgramData.

    You don't need to give administrative access, but allowing the program will make the software run at boot. Then the software will unpack a set of files within C:\{$5002-5679-2528-4621$} or similar, these files are cryptocurrency miners and two processes will be running in the background.

    One is the container for the mining process. It ensures that if the application fails to start or is terminated, that it will be re-executed. dcomuti.exe is the containing process, the main mining tool is 512706380.exe.

    Edited:

    Can GMod servers make you download modules? Is this a thing?
    Reply With Quote Edit / Delete United Kingdom Show Events Informative Informative x 11Useful Useful x 1 (list)

  21. Post #21
    Effektiv's Avatar
    April 2013
    285 Posts
    Had this virus on my computer a few weeks back, the files install via a client dll file that manages to execute from a file within your data. On running the malicious code, UAC will alert that CMD wants administrative access. The command line is a VB script running within ProgramData.

    You don't need to give administrative access, but allowing the program will make the software run at boot. Then the software will unpack a set of files within C:\{$5002-5679-2528-4621$} or similar, these files are cryptocurrency miners and two processes will be running in the background.

    One is the container for the mining process. It ensures that if the application fails to start or is terminated, that it will be re-executed. dcomuti.exe is the containing process, the main mining tool is 512706380.exe.

    Edited:

    Can GMod servers make you download modules? Is this a thing?
    It shouldn't be possible to download modules via typical channels as far as i'm aware. Then again this person seems to be able to things with the game we didn't think typically possible.


    I've always fancied getting into bitcoins as well! I wonder if we can find the wallet ID.
    Reply With Quote Edit / Delete Anonymous Proxy Show Events

  22. Post #22
    DRServices's Avatar
    October 2012
    211 Posts
    Unusual (possibly stupid) question, but would this in any way affect an accounts VAC status?
    Reply With Quote Edit / Delete Canada Show Events

  23. Post #23
    Author of the detected GMod Cheat cheat Oubhack

    January 2012
    771 Posts
    Unusual (possibly stupid) question, but would this in any way affect an accounts VAC status?
    I wouldn't think so, since as VAC's as good as disabled in GMod.

    Edited:

    Or at least, not easily.
    Reply With Quote Edit / Delete Windows 7 Ireland Show Events

  24. Post #24
    Gold Member
    Silentfood's Avatar
    November 2009
    1,014 Posts
    It shouldn't be possible to download modules via typical channels as far as i'm aware. Then again this person seems to be able to things with the game we didn't think typically possible.


    I've always fancied getting into bitcoins as well! I wonder if we can find the wallet ID.
    It goes into a mining pool from when I checked the program's command line.

    Edited:

    With a backup URL if the first pool fails.
    Reply With Quote Edit / Delete United Kingdom Show Events

  25. Post #25
    likes men
    Python1320's Avatar
    May 2007
    1,749 Posts
    awesomium exploit? Nope.
    httpcache is used by http.Fetch most likely so the exploit was probably downloaded using either http library or ...
    ... the steam overlay has something broken.
    But I doubt that since this would be a problem in TF2 too then.

    EDIT:
    httpcache is used by http library so the payload was downloaded using lua with http.Fetch and therefore must have been written with Lua too. Unlike the mining it would be nice to know where from it was downloaded.

    Edited:

    Can you send the httpcache file? It should contain the downloaded url
    Reply With Quote Edit / Delete Windows 8 Finland Show Events

  26. Post #26
    Gold Member
    Hentie's Avatar
    May 2010
    2,167 Posts
    That txt looks like some executable in txt format. Would make sense since GMod allows txt file saving but how it got saved (RCon exploit?), as well as how it got executed remains a mystery.
    send over a custom binary module, rename it or something, require() it on the client and the custom binary module executes virus code/downloads & executes the exe that contains virus code?

    gm_ngov appears in the .dll aswell;



    Edited:

    This needs to get fixed, all players on that server got infected with trojans. This is a very serious exploit.
    Imagine the things hackers can do with this. Create slaves for botnets, installing keyloggers.
    as far as i know, that looks like a binary module. (gmod13_close gmod13_open symbols)
    Reply With Quote Edit / Delete Mac United States Show Events Disagree Disagree x 2Dumb Dumb x 1Late Late x 1 (list)

  27. Post #27
    da space core's Avatar
    March 2012
    1,765 Posts
    If this doesn't get Garry to actually look at the wrecked state of gmod as it is right now, then I don't know what will. This is a BAD exploit
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 3 (list)

  28. Post #28
    Gold Member
    ExtReMLapin's Avatar
    February 2012
    1,176 Posts
    send over a custom binary module, rename it or something, require() it on the client and the custom binary module executes virus code/downloads & executes the exe that contains virus code?



    as far as i know, that looks like a binary module. (gmod13_close gmod13_open symbols)
    That's what we said 2 times
    Reply With Quote Edit / Delete France Show Events

  29. Post #29
    Gold Member
    Hentie's Avatar
    May 2010
    2,167 Posts
    That's what we said 2 times
    I Ctrl-F'ed for mentions of a binary module before I posted.
    Reply With Quote Edit / Delete Mac United States Show Events

  30. Post #30

    July 2013
    232 Posts
    I Ctrl-F'ed for mentions of a binary module before I posted.
    The phrase "binary module" doesn't necessarily have to be written as "binary module", does it?
    Reply With Quote Edit / Delete Windows 7 Lithuania Show Events Agree Agree x 1 (list)

  31. Post #31
    TheMrFailz's Avatar
    July 2012
    1,471 Posts
    In the event that someone has the Virus, it should create a crazy ass folder name under C:/ right? My PC has been feeling a tad bit sluggish lately and I wanted to make sure that this wasn't anything to do with it.
    Reply With Quote Edit / Delete Windows 8 United States Show Events

  32. Post #32

    February 2008
    20 Posts
    kim_win32.dll

    Code:
    int __cdecl gmod13_open(lua_State *L)
    {
      L->luabase->vtable->PushSpecial(0);
      L->luabase->vtable->PushString("wop", 0);
      L->luabase->vtable->PushCFunction((CFunc)LuaCreateProcess);
      L->luabase->vtable->SetTable(-3);
      return 0;
    }
    Code:
    int __cdecl LuaCreateProcess(lua_State *L)
    {
      ILuaBaseVTable *v1; // ecx@2
      const CHAR *v2; // eax@2
      int result; // eax@3
      struct _STARTUPINFOA StartupInfo; // [sp+4h] [bp-54h]@2
      struct _PROCESS_INFORMATION ProcessInformation; // [sp+48h] [bp-10h]@2
    
      if ( L->luabase->vtable->IsType(1, 4)
        && (sub_10003F20(&StartupInfo, 0, 68),
            v1 = L->luabase,
            ProcessInformation.hProcess = 0,
            ProcessInformation.hThread = 0,
            ProcessInformation.dwProcessId = 0,
            ProcessInformation.dwThreadId = 0,
            StartupInfo.cb = 68,
            v2 = v1->vtable->GetString(1, 0),
            CreateProcessA(v2, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation)) )
      {
        L->luabase->vtable->PushBool(1);
        result = 1;
      }
      else
      {
        L->luabase->vtable->PushBool(0);
        result = 1;
      }
      return result;
    }
    Stop assuming stuff, this module allows process creation.

    Edit: Also fiddling around with Hex Editors won't really help at all.
    Reply With Quote Edit / Delete Germany Show Events Agree Agree x 4Informative Informative x 1Winner Winner x 1 (list)

  33. Post #33
    Gold Member
    ExtReMLapin's Avatar
    February 2012
    1,176 Posts
    @RBPFC1


    How did you foun-


    No, better no know.
    Reply With Quote Edit / Delete France Show Events

  34. Post #34

    February 2008
    20 Posts
    @RBPFC1


    How did you foun-


    No, better no know.
    IDA and parsed C headers files that I made act like vtables.
    Reply With Quote Edit / Delete Germany Show Events Winner Winner x 4Informative Informative x 1 (list)

  35. Post #35
    Gold Member

    March 2012
    1,947 Posts
    send over a custom binary module
    If it were that easy then this would've happened long ago.
    Reply With Quote Edit / Delete United Kingdom Show Events

  36. Post #36
    SaintSin6's Avatar
    June 2013
    225 Posts
    awesomium exploit? Nope.
    httpcache is used by http.Fetch most likely so the exploit was probably downloaded using either http library or ...
    ... the steam overlay has something broken.
    But I doubt that since this would be a problem in TF2 too then.

    EDIT:
    httpcache is used by http library so the payload was downloaded using lua with http.Fetch and therefore must have been written with Lua too. Unlike the mining it would be nice to know where from it was downloaded.

    Edited:

    Can you send the httpcache file? It should contain the downloaded url
    Here you are. Just added link to the first post.
    https://mega.co.nz/#!F1ljSIYJ!HViAQj...UsYw4qDZ0VbCKk
    Reply With Quote Edit / Delete Windows 7 Canada Show Events

  37. Post #37
    likes men
    Python1320's Avatar
    May 2007
    1,749 Posts
    Here you are. Just added link to the first post.
    https://mega.co.nz/#!F1ljSIYJ!HViAQj...UsYw4qDZ0VbCKk
    amazonaws sure is a good anonymizer...
    Reply With Quote Edit / Delete Windows 8 Finland Show Events

  38. Post #38
    Gold Member
    Hentie's Avatar
    May 2010
    2,167 Posts
    The phrase "binary module" doesn't necessarily have to be written as "binary module", does it?
    i literally ctrl-fed "modul" then "binar" then "binary module" and different spelling variations.
    everyone already assumed it was a binary module but I just wanted to make the point clear

    If it were that easy then this would've happened long ago.
    the files were found in garrysmod/data which is the only folder that you can write .txt files to.
    it's pretty easy to assume that they used file.Write, or file.Append to create the binary files.
    Reply With Quote Edit / Delete Mac United States Show Events Dumb Dumb x 1 (list)

  39. Post #39
    my portfolio
    Matt-'s Avatar
    April 2012
    1,293 Posts
    Doing a little research into this.. I think this is using an exploit I told garry about a month ago. If this is true I'm going to be a little upset.
    Reply With Quote Edit / Delete Windows 8 United Kingdom Show Events Funny Funny x 5Friendly Friendly x 1 (list)

  40. Post #40

    February 2008
    20 Posts
    Ok so as it appears dcomuti.exe (originally Bianx.exe) has this resource with it, as the code looks like its obfuscated but its pretty clear that it uses the resource data and dumps a file.

    Can anyone give me the file that it creates? I would like to do more research on that subject, I'm wondering who is behind this.
    Reply With Quote Edit / Delete Germany Show Events Informative Informative x 1Zing Zing x 1Useful Useful x 1 (list)