Author Topic: About the RATS recently uploaded  (Read 15519 times)

Darksaber2213 (Carbon Zypher in-game) posted an ARG of two inverted spinning cubes from his website. The music file, when downloaded as an EXE would open a BAT puzzle.

Ok, since I know ALL of you were begging for the soundtrack, I've uploaded it here.
<link removed>

User was banned for this post
It was posted here.

Everyone who ran mdftDecrypter.exe is now infected with a remote access tool.  I'd recommend you go offline, backup your data and reformat.  Do not keep any executables.
He used the first converting tool he found in browser:
battoexeconverter(dot)com
Unfortunately this altered the file and either inserted a RAT or inserted files that read as false positives. I tested it myself with the same results; you can too.

This is the source code for the BAT, obviously not malicious:
Code: [Select]
@echo off
color 0A

:pword
set /p password=Enter password to access program:

if NOT %password%== ff108Br77xx01 goto :wrongpass


set /p fileread=Type Name of File:

for /f %%i in (%fileread%.mdft) do (
CALL :decode %%i
)

:decode
echo Decrypting...
SET string=%~1

:: change the 'encrypted' technobabble back into hexadecimal
SET result=%string:NULL_DATA_STRING=0%
SET result=%result:return=1%
SET result=%result:DEL=2%
SET result=%result:group_info=3%
SET result=%result:encrypted_data=4%
SET result=%result:blockCount=5%
SET result=%result:ACCESS=6%
SET result=%result:structure=7%
SET result=%result:STRING=8%
SET result=%result:VARIABLE=9%
echo %result% >> %fileread%Decrypted.mdft
echo Decrypting Finished!
echo Saving Decrypted File...
exit

:wrongpass
echo Incorrect Password

:: play bell noise
ECHO 
goto :pword

Some evidence of other people having trouble with this software:
http://www.forums.cnet.com/7723-6132_102-262081/bat-to-exe-virus/
http://www.bleepingcomputer.com/forums/t/521672/trojanagentgen-coinminer/

It's probably a false positive, judging from the results. If it is real, Carbon is not controlling the RAT. Unfortunately users like Maxx continue to post appeal-to-authority garbage not understanding the basics of conversion and false positives.

tl;dr: the (possible) virus was inserted by a 3rd party conversion website

I got hit with a RAT once, and it did exactly what this one did to other people. Call me a piece of stuff but I'll still be skeptical.

Going to post this here because it's more relevant.

Still doesn't explain why it duplicated itself into a renamed .exe and a bat file.
It never duplicated itself. The exe was 15 bytes long and only had the text "RCHELICOPTERFTW" in it.

Going to post this here because it's more relevant.
It never duplicated itself. The exe was 15 bytes long and only had the text "RCHELICOPTERFTW" in it.
Alright then, but it still seems really loving sketchy that it would just make files like that.
I mean come on.

Alright then, but it still seems really loving sketchy that it would just make files like that.
I mean come on.
cus it's an ARG

Alright then, but it still seems really loving sketchy that it would just make files like that.
I mean come on.
ARGs are actually well known for their clear and unmysterious nature. I suspect this was not the route he planned for it to take, but hey, still better than 232thgilF.

Alright then, but it still seems really loving sketchy that it would just make files like that.
I mean come on.
Almost certainly the result of the bat2exe converter, which does a really stuffty job of converting to exe. All it does is run the bat and funnel the output to the exe to make it look like it's been converted to an exe file.

So you're saying the guy who posted it didn't intend to put a RAT. I kinda believe this with the evidence op provided.

So you're saying the guy who posted it didn't intend to put a RAT. I kinda believe this with the evidence op provided.
Knowing Carbon Zypher, he's the guy that wouldn't place a RAT on purpose

Almost certainly the result of the bat2exe converter, which does a really stuffty job of converting to exe. All it does is run the bat and funnel the output to the exe to make it look like it's been converted to an exe file.
i guess that would make sense. though it's still suspicious. i don't believe i have been ratted but ill be kinda cautious about typing passwords

i appreciate that maxx is trying to help, but i think it's fine

yeah i did some digging and apparently the rat that is supposedly involved here usually throws up a little bit more obvious evidence, processes and the like, and i'm not seeing anything out of the ordinary.
still not thrilled to type pws but i rarely if ever log in wherever.

That said, if I suddenly forum Self Delete, that's Crispy and Flame's cue to disable their networks, login and change their passwords with other devices, yeah? (forum Self Delete is stupid)

I ran the executable out of curiosity with quickp-scan on. There weren't any files created in user/local/temp.

I should be safe, right?

So, Darksaber got banned AND revoked for distributing a RAT, but Paperclip's RAT that may be still affected and he has distributed it too with his mates, but he is still on? Can someone fill me up.

ARGs are actually well known for their clear and unmysterious nature. I suspect this was not the route he planned for it to take, but hey, still better than 232thgilF.
i had a really well idea for that actually

i dont know stuff and i get worried hella easy, would i be affected just by visiting the sites? and if i just download the zip am i fine? i didnt run anything, infact i cancelled the xio 8/10 ways it was almost done. anyway, should i worry about either? pls answer to soothe me worrying