Nostalrius Begins - Quality wow vanilla realm (1.12)

Greetings Community

You probably heard of the name Zzuk or Corthezz lately and his theory video about playerbots on Nostalrius.
I'm not here to discuss this matter, but with the growing attention of said person and his blog, I think it's necessary to inform people that some if not all his tools are infected with a virus. It's needless to say that the use of those programs is forbidden and will lead to a ban eventually.

Proof:
Original release post incase he decides to delete it: http://i.imgur.com/K8sezsa.png
Anubis analysis: https://anubis.iseclab.org/?action=resu ... l#chapter1
VirusTotal of the executable: https://www.virustotal.com/de/file/da34 ... 425907657/
Malwr report: https://malwr.com/analysis/OGJmNjVjZWNk ... Q1M2NhYzE/

As you can see, the file is FUD crypted (obfuscated), which is a common method to hide malware from Anti Viruses. The Anubis report shows us how two registry values in the shell category are changed, probably in order to allow the virus to start up with the Windows boot, which is common for RATS/Keyloggers. The malwr report confirms this further: "Installs itself for autorun at Windows startup". Further, various files in the Windows folder are getting altered which shows clearly that it's infact doing more than it's supposed to.

If you happen to have downloaded one of his programs, you most likely are infected. I can't help with the removal of the virus, nor do I know what it actually does. If everything fails, make sure to back up your important files and do a clean install of Windows. Change all your passwords after the fresh install or do it from a second device such as your smart phone. And next time, be more careful with what you download.

I hope the Nostalrius team takes action and excludes Zzuk from the Community, if they haven't done it already.

Account closure / permanent ban - Publishing a software, methods or articles on cheating which can be applied on the server,

There might be some typos as I'm quite in a hurry, but I hope this prevents more people from getting infected.
Special thanks to: One Virus

Have fun and take care.

Wasn't Zzuk a "high-ranked" player over on ED? I'm fairly sure I remember the name.

Zzuk is a famous vanilla hacker

i used to think he was cool but quickly realized what a loser he was. hes a hacker and cries to feenix when he got punished and how its not fair that he got his account banned for hacking when he worked so hard on it..

zzuk will be remebered as that stupid retard with that dumb accent of his. cant even make sense what he says on vent

what a nerd

While i don't condone the use of this stuff, that's not malware. If you read the AV report all they are saying is that it has been obfuscated or for non-comuter people 'jumbled' to make viewing the code more difficult. This was likley done to stop devs from scanning for his endscene hooks.

Please don't post this stuff it's pointless and just draws attention to his blog.

[EDIT] - It IS possible that it is malicious - but running on my VM I didn't notice any registry changes.

pill wrote:While i don't condone the use of this stuff, that's not malware. If you read the AV report all they are saying is that it has been obfuscated or for non-comuter people 'jumbled' to make viewing the code more difficult. This was likley done to stop devs from scanning for his endscene hooks.

Please don't post this stuff it's pointless, incorrect and just draws attention to his blog.

I'm not too experienced with the crypting, but the logs speak for themselves and these are definitely no false positives.
There's nothing to hide from anti-cheat devs (if that's what you ment) since the morpher is supposed to work on a read only basis, just like every other morpher. So what's there to detect, the injector? Well I've seen the Nostalrius video on their AC and how they detected some hacks on login, so I give you that.

Still, this doesn't explain why the program changes dll files in the windows directory and writes itself in the autostart. Like seriously, how can you assume that something like this could possibly be legit when it autoruns on boot and drops an executable in the temp folder, let alone the altering in the typical shell registry location for trojans? I asked a few experts on the topic and they all agreed that this has to be malware. I'm not coming here just to make an assumption, and I wouldn't have made the thread if I wasn't certain about it. As you said it yourself, he doesn't deserve even more attention, but this warning was just required in my opinion.

Oh yeah, and if you happen to know more about these odd dll names from the dump then please explain it to me.

Code: Select all

26.vir
smona124015666450049745382
6eede07000478758dee801842e8d0100f2bc2c33.dll
smona130733274704336882487
smona130729912690298699501
dcd21c1c2ed77363a58da980c44f3996f9372542
file-3112944_dll
smona131037743444336889565
smona124060633668711297845
smona130950540179099915736
smona130908094761953348967
smona130960779035676400874
6EEDE07000478758DEE801842E8D0100F2BC2C33.dll
smona130846426895686083432
smona130653010349148951567
smona131047283709925374223
smona130643880071287402446
smona130847034675311155399
smona131014914437030935114
smona130825939086230055979
smona130914117380637121065
fasmdll_managed.dll
smona130669025252379089557
smona130856473825384135331
smona132718215302744706041

Edit:

[EDIT] - It IS possible that it is malicious - but running on my VM I didn't notice any registry changes.

What VM are you running, there's a chance that the program detects the VM and the malware doesn't unfold.

Wont even waste a single minute explaining anything to you. Shove the half knowledge of you and your "experts" up your [removed] )))

-Please be civil Zzuk. You're free to talk here, but no reason to be rude.
-Witcher

Sorry, but I would like to know how did you come up to the conclusion this executable fiddle with:
"Autostart"

Also, your "experts" may be aware of:
http://www.vcskicks.com/obfuscator.php
http://blogs.msdn.com/b/clrsecurity/arc ... 22440.aspx

Also, from malwr site, it's clear that this tool doesn't contact any "domain".
From this site, also appears that the only "infection" found is about obfuscation.
Obfuscation is a common practice among coders writing C# managed code, aka it might well be a false-positive.

So, please, now that you have started a thread with such accusations, I would like to see a solid "analysis".
Seems like you just misinterpreted the virus-website reports.

I would also like to suggest to everyone:
http://www.sandboxie.com/
Run your things inside one of these...

This is "Pirox has a keylogger!111" all over again. Feels like I'm reliving 2008.