A warning to those to used General Bot!

[greyb1t]

The users who downloaded the bot from the thread named is infected with some kind of virus.

This thread is probably in the wrong section, however I decided to post it here because the users who downloaded it most likely doesn't check the other sections. Also, the original thread is closed.

It contained the following files:

• farmbot
  • TargetMinimap.exe (bad boy)
• config.ini (legit)
• General Bot.exe (legit)
• hook.dll (confuse file)
• interface.asi (confuse file)
• NeuzInfiltration.dll (confuse file)
• upgrading.dll (confuse file)

Most of the files being files that adds extra layers of "confusion" on what is happening to prevent suspicion.

hook.dll is most likely not used due to how the bot worked. It worked by pixel scanning and had nothing to do with memory.

interface.asi is most likely not associated with the bot either. I cannot really speak on this however after a little bit of analysis it seems to be a dll regarding sound.

NeuzInfiltration.dll do I have to say anything on this one? No.

upgrading.dll is a dll that has been renamed to confuse the user. It was previously Miles Sound System. Company Name : RAD Game Tools. Inc.

General Bot.exe is the legit thing which contains the au3 script as a resource. Not more to say.

farmbot -> TargetMinimap.exe is however the interesting part of this. It is a software coded in a .NET language which is protected by smartassembly. Some naughty stuff can be found inside of this one.

I have not analysed it throughly, however a couple of things caught my attention.

First thing:

Code:

standardInput.Write(string.Concat(new string[]
{
        Class5.smethod_1("ZoZsR/ZaAWzxqaKwo+nWGkxoLc6Ds9GNObStufkfOT2TLcBbjyvMGWz5Ui7BQiviEu7Vk8MO6FJ1iaMc1ALpfry+mE2yigOyL28GnNKe0ab37UCQ2TsndQdis/7A49IH"),
	"%temp%\\",
	Class5.smethod_1("35HUeD+OlAq9ZwumSXi79g=="),
	"\\",
	Class5.smethod_1("2atqj4HZ4WJ029aPZ3Ly2d46DqSi1+THRQs1q+XH92I="),
	".lnk \" /f",
        Environment.NewLine
}));

After decrypting the strings it show the following:
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
FlyFF Bot
generalbotstart.exe

The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.

Another thing that caught my attention was the following code:

Code:

if (!Class5.smethod_0(Class5.smethod_1("kH6hMrdds0P1ED86mOaZMg==")))
{
	goto IL_D1;
}
IL_C3:
num2 = 11;
Thread.Sleep(26001);
IL_D1:

The decrypted string contain: AvastSvc
It basically is a bit of code to prevent Avast from detecting it as a virus. It is a known method and can be read on the internet.

It has made of copy of TargetMinimap.exe in the following directory: %temp%\FlyFF Bot
Make sure to delete those files and fix the registry as mentioned above. As I said before, I did not analyse it throughly, I'm sure it contained more bullshit, so watch out boys.

TL;DR
Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.

Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.

[Hömer]

Quote:

Originally Posted by dosha5

But no one asked you for help .
And you are not a Moderator to post an useless thing like this .
As i said its a hack section not a scanvirustotal.com .
Learn to know your place little kid.

PS: Hope the Moderator of this section did his job instead of ignoring it because you passed your limits. ^_^

What the f is wrong with you?!

He just wanted to help ppl. who aren´t able to reverse engineer.

Dunno why you are so upset about this. Were you part of this little fishy "bot" ?

[Exrotz]

Quote:

Originally Posted by dosha5

But no one asked you for help .
And you are not a Moderator to post an useless thing like this .
As i said its a hack section not a scanvirustotal.com .
Learn to know your place little kid.

PS: Hope the Moderator of this section did his job instead of ignoring it because you passed your limits. ^_^

So you think it's fine that there is a public hack released with a virus which could potentially destroy your PC? I hope you aren't that retarded.

This guy is just trying to make others aware. I assume you're working with the guy trying to distribute the virus or something? There's no reason to be angry otherwise, if anything you should be happy.

[Gelz]

Thanks for the heads up greyb1t!

Also, have you identified the effects of the said virus, when incase, the computer is restarted as the virus "kicks in"?

(I seem to have done it, and I am a bit worried. Sorry for asking too much; I am not as computer savvy as you are.)

[Nick]

I looked into this matter in a secure environment and arrived at the same result which means that greyb1t is right, reinstalling your system is strongly recommended, though.

Needless to say, we will take action against the member who published the said bot. Always be careful of newly registered or relatively unknown members!

Thanks for reporting! @