Etheria & Aetheria

[Crispy_]

crispy how did you access local settings

i dont think i did?

i just went here
C:\Users\MYNAME\AppData\Local\Temp

and looked for the ytmp folder, checked inside to find the questioned bat and exe and deleted the folder

[Ad Bot]

[Maxxi]

Well, so far all signs point to it just being an exe made with something called "Advanced BAT to EXE Converter," so it really all depends if that itself is a virus or not.
Maxx you have no idea what the forget you're talking about.
The only files it makes are a bat file with harmless code in it to decrypt a special file format into hex and an exe file with the text "RCHELICOPTERSFTW" in it. That's confirmed by the scan.

i understand why you might think this, but this is what a RAT does.
a person sends out a file to other people, (in this case, the decrypter exe) to RAT them, the file after execution will take copies to a folder, the BAT is probably meant to destract you into thinking that its not. but the EXE is a copied stub that is basically the downloaded file running in the background.
the virustotal scan said it itself, that it is "Backdoor.DarkKomet.Win32.2497 8" and "Trojan.Win32.DarkKomet.dhzoxj" and so on.
Badspot said it himself, and Badspot made an entire game based around Torque coding and he knows what he is talking about. The signs are probably meant to distract you, but who knows.

are you sure? because i havent seen the "ytemp" folder come back.

the directory ipquarx listed directs the file to your user's temp folder
for example mine is this: C:\Users\Maxx\AppData\Local\Temp
Windows recognizes the user's temp folder and decides to send the file there, afaik.

so i have absolutely nothing to worry about? i'm just being fearmongered

You should still be watching, because this is most likely a RAT.

i still have my doubts it's actually a rat

if the scan comes up clean i'm calling it a day. the batch file was simple enough, and the only things weird about it was the first few lines where it called out a couple directories or something but that's really it.

kinda odd how it was stored under a ytmp folder under %temp% though. and the folder was hidden, but that could possibly just be the doings of the advanced bat to exe converter thing

as i have said yet everyone ignores, the virus total scan says its a rat, but for malwarebytes, that peice of the scan is clean.

[Flame]

Carbon (or Darksaber) is a close friend of mine on Steam and I know he wouldn't do this. He sent me a message a few moments ago.

I don't have any evidence, but I'm pretty sure it was an accident. He's a nice user.

this is exactly what i'm guessing.

i didn't think the program itself was malicious, just the program to wrap it into an executable file may have been sketchy. (i downloaded that too though. ._.)

[Maxxi]

Carbon (or Darksaber) is a close friend of mine on Steam and I know he wouldn't do this. He sent me a message a few moments ago.

I don't have any evidence, but I'm pretty sure it was an accident. He's a nice user.

he's hiding something, i know it.

[Crispy_]

for example mine is this: C:\Users\Maxx\AppData\Local\Temp

but i deleted it, and it hasn't came back?

[Crispy_]

deleted the files the program made, i meant

[Maxxi]

but i deleted it, and it hasn't came back?

you most likely got rid of it, if i were you i'd still backup my stuff and reformat but thats just me.

[Ipquarx]

Maxx still has no idea what he's talking about. Your entire claim about badspot magically knowing whether or not a file is a rat is completely invalid. You cannot magically determine whether or not a file is a virus, there has to be evidence to support it. This can be seen through A. created processes  B. modified, removed and created files  and C. read files.

Your claim about anti-viruses magically knowing whether or not something is a virus is also invalid, they use the behaviour of the exe (like the files it writes, the processes it makes, etc) to determine whether or not it's a virus. For example, if an exe creates and runs a file at location X, it's classified as a trojan. This is very possibly the case.

Let's take a look at the created processes and completely invalidate your claim about it running a virus in the background.


1. Create a folder named "afolder" in the temp directory
2. Create a folder named "ytmp" in the temp directory
3. set "ytmp" to hidden
4. clear the screen
5. if the bat file exists, delete it
6. if the exe files exists, delete it
#7 does absolutely nothing as far as I can tell.

SO. Unless you have some actual evidence that it's a virus. I am thoroughly convinced you're just bandwagoning and have not a damn clue what you're saying. You can start by looking for files that it modifies. Good luck.

[McZealot]

Carbon Zypher used battoexeconverter (dot) com to convert his personally made music files. The website appears clean, but upon further investigation other users of this software are having the exact same problem.

Evidence:
http://forums.cnet.com/7723-6132_102-262081/bat-to-exe-virus/
http://www.bleepingcomputer.com/forums/t/521672/trojanagentgen-coinminer/

I suspect from this that he attempted to convert his file using the first search result, and in doing so accidentally inserted a RAT into it, that is not controlled or owned by him.

he's hiding something, i know it.

maxx you are literally handicapped

stop trying

[King of the Bill]

From what I can tell the bat to exe is very commonly used to hide malware if the numbr of tutorials is an indicator
also um why is my ytmp folder empty

[Master Shadow Phoenix]

It's highly likely that some dipforget ratted the OP. He/she then decided to richard around the Blockland Forums by spreading his/her RAT to anyone foolish enough to download and run the program, all in a form of some ARG.

[Acerblock]

I don't know guys, in my personal opinion ignoring the whole RAT argument, I would be very skeptical of a random executable posted on a forum that creates two random files in temporary directories. Even the part with inputting a password, what kind of an application does this kind of thing, especially for a stupid little riddle in the Offtopic section. RAT or not, this program shouldn't be trusted at all.

[Flame]

hey i just noticed the "afolder" thing you were talking about ipquarx

it's empty...

also um why is my ytmp folder empty

:O

[AutoBahn]

Badspot said it himself, and Badspot made an entire game based around Torque coding and he knows what he is talking about.

Please note that someone with coding experience is not an instant cyber security master. While I have no doubts that Badspot is indeed making a good call here (not to mention he's quite decent with the whole cyber security business afaik), this is not a good basis for action on it's own.
Those of you who have downloaded and run the .exes, you're screwed; turn off your network connections and reformat. This is a version of darkcomet that is new/lesser known to the public cyberdefense eye, and will therefore not be detected by your system in most cases. If you want, you can send out the infected file to cybersec agencies to let them know they need to update - but a case like this can't be sat down with for hours while you wait for a fix.
What was said in the chat Zealot posted is most likely true - cases like this where a seemingly legitimate program will do a task with a 'piggybacking' (so to speak) software following in behind to do whatever it was trying to do - You'll see it often, especially in conversion programs (.midi to .ogg, .wav, .mp3, and, as we've seen here, .bat to .exe) to cloak the malicious file from suspicion. Dark's fallen victim, as it would seem, and didn't mean to spread this.

[Crispy_]

http://forums.cnet.com/7723-6132_102-262081/bat-to-exe-virus/

""Packers detected:
PE_PATCH, UPACK"

Sorry if I can't write this proper but such packers are needed to compile batch files. Its a shame that some scans will call it as malware. It's not unlike those tools we use to scan for Alternate Data Streams or change system password tools. Those can set off the alarms during a scan as well.

In other words a False Positive."