Garrys Mod Virus

While playing on my garrysmod server today I received a request from windows to use the cmd prompt. Everyone on my server at the got the same request from a suspicious .exe in c\programdata{temp folder}\dcomuti.exe

http://puu.sh/6ssSF.png

Moments later my antivirus quarantined a suspicious file in garrysmod/data called kim.txt when opened it looks like this
[Larger Image]
http://puu.sh/6sqjE.png

There was also a oddly named folder, inside containing kim_win32.dll

http://puu.sh/6ssS6.png

http://puu.sh/6sttp.png

I have moved all files onto an usb for now, but I am getting non stop trojan reports.

http://puu.sh/6stbi.png

Especially from kim.txt

I was asked to create this thread to generate some publicity to the problem of getting infected through Garrysmod. Here is a link to the help thread I initially created http://forum.facepunch.com/showthread.php?t=1351705
After speaking to a few Facepunch community members they believe this is the same gmod virus from before.

Be sure to look for these files and run a few scans to be safe.

Link (Having issues with kim.txt looking to get another copy)

https://mega.co.nz/#!F1ljSIYJ!HViAQjrxQwba3Ax2AXdw_ENyijV1sUsYw4qDZ0VbCKk - Steam\Appcache\Httpcache\40(filename)

Watch for:
kim.txt
kim_win32.dll
dcomuti.exe
ngov.txt

Also:

Can you upload the files to a safe spot I can sift them better that way

shoot you weren’t supposed to find out about my trojan

Just added the link to the first post going to try and keep everything there. I am having issues with kim.txt and will try and get another copy of it.

http://puu.sh/6sAVc.png



D:\gmod\example\lib\windows\gm_ngov.pdb


gm_ngov ?

I do recall seeing a ngov.txt file, but it was 0b

gm_ngov appears in the .dll aswell;

http://puu.sh/6sCjD.png

[editline]21st January 2014[/editline]

This needs to get fixed, all players on that server got infected with trojans. This is a very serious exploit.
Imagine the things hackers can do with this. Create slaves for botnets, installing keyloggers.

Im working to get a kim.txt file for you guys, that file makes my antivirus go a little crazy with malicous reports and trojans.

That txt looks like some executable in txt format. Would make sense since GMod allows txt file saving but how it got saved (RCon exploit?), as well as how it got executed remains a mystery.

Most of the Executables have “MZ” at the start, this one too, so yes, this txt file was converted into an exe.

The question is “HOW ???”

Have you been able to pin down how you got this in the first place? You say you were playing on your server and all the players on it also appeared to have received the same attempt to launch cmd? I’m not trying to suggest you had any part in it or anything just seems unusual that everyone would have exactly the same files that came to life while on your server.

What addons, workshop or otherwise do you use? Or maybe we are looking at that scumbag steam browser again.

This doesn’t have anything to do with his server in particular as this exploit has been posted before http://forum.facepunch.com/showthread.php?t=1330836

Also, NFO is hosting his server so he has no access to change any binaries to make such an exploit available.

Yes i’m fully aware of the exploit and the fact there was no need to be concerned as there was no known way to change txts to exe.

If it has nothing to do with his server, everyone on his server just so happened to visit the same server recently to acquire these files then. That’s if everyone on his server having a CMD role up at the same time is simply coincidence.

I didn’t even know it was possible to get viruses through Garry’s Mod.

You don’t get the whole picture, SRCDS itself are not coded in a way to distribute .dll’s and .exe’s. The Lua engine is at fault here because I have never seen anything like this over at srcds.com’s forums.

I am almost a 100% sure this is not the server’s fault. The only thing the server is contributing to this exploit is gathering people for mass distribution. I don’t believe the server itself distributes those files, but simply one person figured out a way to execute a client-side lua on another player that somehow downloads that .txt file, constructs the virus out of it and compiles it and then for the final blow; executes it.

That’s how I think the exploit works.

It’s even possible to tell a SQL server to construct a program through the only language the SQL server speaks; SQL statements. So why wouldn’t this be possible?

Well, it looks like it is.

Just to double check, are you using any binary modules (ones that go into lua/bin)?

gmsv_mysqloo_win32.dll would be the only module that I’ve added to the server.

Unless there is an exploit in MySQLOO (which I doubt), then it won’t be that.

If you run the exe, it moves it’s self to



C:\{$5002-5679-2528-4621$}


And sets it’s self to load on started.
As far as the gm_gnov dll, All I know is that is makes a copy of all the Lua usedata tables.

This is what the exe extracts:

It’s a MSDOC COM file.

Had this virus on my computer a few weeks back, the files install via a client dll file that manages to execute from a file within your data. On running the malicious code, UAC will alert that CMD wants administrative access. The command line is a VB script running within ProgramData.

You don’t need to give administrative access, but allowing the program will make the software run at boot. Then the software will unpack a set of files within C:{5002-5679-2528-4621} or similar, these files are cryptocurrency miners and two processes will be running in the background.

One is the container for the mining process. It ensures that if the application fails to start or is terminated, that it will be re-executed. dcomuti.exe is the containing process, the main mining tool is 512706380.exe.

[editline]21st January 2014[/editline]

Can GMod servers make you download modules? Is this a thing?