Author Topic: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge  (Read 6048 times)

Aka Kyuketsuki

  • Team αlternative Σnding
  • Making it rain
Please don't download the "Sweat Dreams" script by Silvero on BulletForge. It contains a virus that spreads through Win32 files.
The report button is gone on BulletForge, so I'm posting this here so people don't get their PC infected  :ohdear:


Mod note from Helepolis:
- All three scripts by user Silvero (http://www.bulletforge.org/u/silvero) seem infected or highly suspicious. Until further notice do not download or run any of the three scripts.
- Always scan any script from any user, just in case.
- Do always report these things to us (forum) and Blargel (aka KimoKeine on IRC)

« Last Edit: March 16, 2016, 10:24:12 AM by Aka Kyuketsuki »

Random Sphere

  • It's been 3 years...
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #1 on: March 15, 2016, 04:12:32 PM »
Ok, thanks. That was a close one. I was going to download it.

Edit: 27 downloads lolololllolololololol
« Last Edit: March 15, 2016, 09:49:10 PM by Helepolis »
Normal 1CCs : PCB, IN, PoFV, MoF, UFO, TD, DDC, HSiFS, WBaWC.
Extra Clears: IN, MoF, HSiFS, WBaWC.

nav'

  • nothing to see here
  • definitely not a Ditto
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #2 on: March 15, 2016, 04:39:13 PM »
This could actually be a false alert; at least my antimalware software doesn't come up with any alerts. Can you tell us which file is being reported as infected exactly? It could then be checked using a tool like virustotal.com to try and ascertain the likeliness of a false positive.
Рабинович глядит на плакат ?Ленин умер, но дело его живет!?
? уж лучше бы о он жил!

Chronojet ⚙ Dragon

  • The Oddity
  • 今コソ輝ケ、我ガ未来、ソノ可能性!!
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #3 on: March 15, 2016, 04:53:43 PM »
Why would y'alls download it in the first place, though... It's kind of well-established by now that they're just stealing scripts?

Random Sphere

  • It's been 3 years...
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #4 on: March 15, 2016, 04:56:59 PM »
Why would y'alls download it in the first place, though... It's kind of well-established by now that they're just stealing scripts?

I`m just bored :3
Normal 1CCs : PCB, IN, PoFV, MoF, UFO, TD, DDC, HSiFS, WBaWC.
Extra Clears: IN, MoF, HSiFS, WBaWC.

Python

  • Plains of Chi-u have no end.
  • *
  • They are boundless and last forever.
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #5 on: March 15, 2016, 05:00:59 PM »
Funnily enough, Avast shouted at me when I tried downloading it, when I tried extracting it, but when I actually scanned the extracted folder, Avast found nothing. Lovely.

A total scan also yielded no results for some reason. >_>
Have a look at my truly scrumptious scripts!.

Chronojet ⚙ Dragon

  • The Oddity
  • 今コソ輝ケ、我ガ未来、ソノ可能性!!
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #6 on: March 15, 2016, 05:22:29 PM »
Random, but it's "Sweat dreams".

Yes. It's like a title for some kind of weird gay porn. :/

It seems like they did it on purpose or something...

nav'

  • nothing to see here
  • definitely not a Ditto
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #7 on: March 15, 2016, 06:04:34 PM »
OK, I managed to figure out that actually several files in the archive are being marked as infected by my antimalware software, they just wouldn't scan the entire folder properly for some reason, which is why no alerts would show up before. Here's a sample Virustotal report for one of the files:

https://www.virustotal.com/en/file/a363e4f7dc388dcce86e686979755c65e69344d6f3210826cea72e1b1478783e/analysis/1458064176/

So yeah, apparently this actually is Jeefo. Astounding. I was sure Jeefo is a thing of the dark past, considering it's a file infector created like 15 years ago and all. So please heed the OP's advice and STAY CLEAR OF THE DOWNLOAD. If the virus manages to spread, it will make your computer experience a living hell.
« Last Edit: March 15, 2016, 06:07:59 PM by navpirx »
Рабинович глядит на плакат ?Ленин умер, но дело его живет!?
? уж лучше бы о он жил!

Python

  • Plains of Chi-u have no end.
  • *
  • They are boundless and last forever.
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #8 on: March 15, 2016, 07:25:33 PM »
Strange, Avast said that config.exe, DNHViewer.exe and FileArchiver.exe are infected with that virus (I only remember it starting with "Win32.somethingsomething") upon extracting the folder, yet scanning them individually after extraction, scanning the whole folder, and scanning the entire system yielded no results.

I read that this Jeefo thing infects files and, when run, tries to run the original content of the file. What actual danger does this virus pose, if that's all it does after shoving its ass into autostart?
« Last Edit: March 15, 2016, 07:29:09 PM by Python »
Have a look at my truly scrumptious scripts!.

Aka Kyuketsuki

  • Team αlternative Σnding
  • Making it rain
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #9 on: March 15, 2016, 08:14:32 PM »
Indeed, that was a Jeefo virus ! I just deleted it so quickly because I was scared it caused too much damage on my PC  :V
Thanks for the clarification ! Also can someone notify Blargel about this ?

nav'

  • nothing to see here
  • definitely not a Ditto
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #10 on: March 15, 2016, 08:28:26 PM »
Strange, Avast said that config.exe, DNHViewer.exe and FileArchiver.exe are infected with that virus (I only remember it starting with "Win32.somethingsomething") upon extracting the folder, yet scanning them individually after extraction, scanning the whole folder, and scanning the entire system yielded no results.

I read that this Jeefo thing infects files and, when run, tries to run the original content of the file. What actual danger does this virus pose, if that's all it does after shoving its ass into autostart?
In theory it should't be dangerous at all. In practice, malware is almost always poorly written and unstable, so you'll soon be getting errors, crashes, bluescreens and everything will be working slower and slower. Eventually you'll want to get rid of the virus, only to find that it has basically infected every executable file on your computer. And since curing such files usually isn't 100% reliable, the only way to get rid of it is to delete every single piece of your software, not only on your hard drive, but also on all writable media that you own. I've been through this years ago. It's horrible.
Рабинович глядит на плакат ?Ленин умер, но дело его живет!?
? уж лучше бы о он жил!

Python

  • Plains of Chi-u have no end.
  • *
  • They are boundless and last forever.
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #11 on: March 15, 2016, 08:46:16 PM »
Mmh, I see. I ran numerous scans, all with no results at all, even though I downloaded, extracted, and even ran one of the malicious files.
Have a look at my truly scrumptious scripts!.

nav'

  • nothing to see here
  • definitely not a Ditto
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #12 on: March 15, 2016, 09:34:51 PM »
Mmh, I see. I ran numerous scans, all with no results at all, even though I downloaded, extracted, and even ran one of the malicious files.
So you actually executed one of the files? Knowing how annoying file infectors can be, I'd really advise you to stay on the safe side, even if Avast doesn't indicate anything. Perhaps try another antivirus, or maybe a malware cleanup tool like Malwarebytes Antimalware (I know for a fact it detects Jeefo). Also try looking for the svchost.exe file directly in your c:\windows folder, which is a telltale sign of this particular virus. Svchost.exe is normally found in the system32 folder, so if you find it directly in the Windows folder, then your machine is most likely infected and you should act quickly to get rid of the virus.
Рабинович глядит на плакат ?Ленин умер, но дело его живет!?
? уж лучше бы о он жил!

Helepolis

  • Charisma!
  • *
  • O-ojousama!?
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #13 on: March 15, 2016, 09:38:59 PM »
Confirming the file is highly suspicious. My avast blocked it while downloading, it didn't even allow me to complete the download.

I've notified Blargel on IRC about it and notified him of the thread.

Please be careful when downloading ANY script. In general, I always prefer to scan anything I download. Small effort to prevent disasters.

Also Blargel aka KimoKeine is often available on IRC. If you need him fast, my advice is to visit #danmakufu on our irc server.

--Helepolis

Edit:  Thank you Aka Kyuketsuki and others for the alerts. Much appreciated.

Edit2: The same seems to go for Nightmare Castle. Checking the 3rd script of this person.

Edit 3 Yea ok the other one is also infected with Win32:Gardih
« Last Edit: March 15, 2016, 09:44:50 PM by Helepolis »

Python

  • Plains of Chi-u have no end.
  • *
  • They are boundless and last forever.
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #14 on: March 15, 2016, 09:44:19 PM »
So you actually executed one of the files? Knowing how annoying file infectors can be, I'd really advise you to stay on the safe side, even if Avast doesn't indicate anything. Perhaps try another antivirus, or maybe a malware cleanup tool like Malwarebytes Antimalware (I know for a fact it detects Jeefo). Also try looking for the svchost.exe file directly in your c:\windows folder, which is a telltale sign of this particular virus. Svchost.exe is normally found in the system32 folder, so if you find it directly in the Windows folder, then your machine is most likely infected and you should act quickly to get rid of the virus.
There is no svchost.exe in my Windows folder, but just for safety, I ran a full scan with Avast now and it yielded seven results. None of them are Jeefo though, they're all called "OpenCandy" or something like that, and Avast doesn't classify them as particularily dangerous. Makes me wonder where that Jeefo went though, after I extracted the ZIP, since it bitched about Jeefo before extracting, but not afterwards.
Have a look at my truly scrumptious scripts!.

Helepolis

  • Charisma!
  • *
  • O-ojousama!?
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #15 on: March 15, 2016, 09:46:32 PM »
For now I would advise not to download any scripts from user Silvero until further notice from Blargel.

Author: http://www.bulletforge.org/u/silvero


Blargel

  • RAWR!
  • I'M AN ANGRY LOLI!
Re: [VIRUS ALERT] About the "Sweet Dreams" fangame on BulletForge
« Reply #16 on: March 16, 2016, 12:16:23 AM »
The projects have been taken down.
<WorkingKeine> when i get home i just go to the ps3 and beat people up in blazblue with a loli
<Azure> Keine: Danmakufu helper by day, violent loli by night.