Darksaber2213 (Carbon Zypher in-game) posted an ARG of two inverted spinning cubes from his website. The music file, when downloaded as an EXE would open a BAT puzzle.
Ok, since I know ALL of you were begging for the soundtrack, I've uploaded it here.
<link removed>
User was banned for this post
It was posted here.
Everyone who ran mdftDecrypter.exe is now infected with a remote access tool. I'd recommend you go offline, backup your data and reformat. Do not keep any executables.
He used the first converting tool he found in browser:
battoexeconverter(dot)com
Unfortunately this altered the file and either inserted a RAT or inserted files that read as false positives. I tested it myself with the same results; you can too.
This is the source code for the BAT, obviously not malicious:
@echo off
color 0A
:pword
set /p password=Enter password to access program:
if NOT %password%== ff108Br77xx01 goto :wrongpass
set /p fileread=Type Name of File:
for /f %%i in (%fileread%.mdft) do (
CALL :decode %%i
)
:decode
echo Decrypting...
SET string=%~1
:: change the 'encrypted' technobabble back into hexadecimal
SET result=%string:NULL_DATA_STRING=0%
SET result=%result:return=1%
SET result=%result:DEL=2%
SET result=%result:group_info=3%
SET result=%result:encrypted_data=4%
SET result=%result:blockCount=5%
SET result=%result:ACCESS=6%
SET result=%result:structure=7%
SET result=%result:STRING=8%
SET result=%result:VARIABLE=9%
echo %result% >> %fileread%Decrypted.mdft
echo Decrypting Finished!
echo Saving Decrypted File...
exit
:wrongpass
echo Incorrect Password
:: play bell noise
ECHO
goto :pword
Some evidence of other people having trouble with this software:
http://www.forums.cnet.com/7723-6132_102-262081/bat-to-exe-virus/http://www.bleepingcomputer.com/forums/t/521672/trojanagentgen-coinminer/It's probably a false positive, judging from the results. If it is real, Carbon is not controlling the RAT. Unfortunately users like Maxx continue to post appeal-to-authority garbage not understanding the basics of conversion and false positives.
tl;dr: the (possible) virus was inserted by a 3rd party conversion website