Skyrim -Community- Uncapper may be hacked

[lanbladez]

Latest version of uncapper may be a virus, the .dll does not show in wrye smash. If run through virustotal, shows up as a variant of a virus. This may be a new virus that has not be analyzed. Another thing is that this file is a lot smaller than last upload, also last upload if ran through same virus scan does not show anything but this one does. INSTALL AT YOUR OWN RISK. 

[Kelmych]

I got the same result; Microsoft Security Essentials said the file is a virus.

[lanbladez]

This is what the virus may be, W32/Heuristic-MU2!Eldorado. Thanks for the confirmation.

[Farlo]

I'm not getting a hit from Avast. At the very least we should alert the Nexus and the mod author; it needs to be pulled down before more people download it, just in case.

 

EDIT: Check the hashes, does the one you scanned have the same values?  I'm getting a clean result from Virustotal with a fresh download:

 

v1.15.0.0 -

Archive

DLL

 

v1.15.1.0 -

Archive

DLL

[lanbladez]

I already reported the file, if more people report the file it may be pulled down faster.

[Farlo]

See my previous post, I updated it with the results I got from Virustotal. I think you might have a virus or other baddie on your end because I just downloaded both files (v1.15.1 and v1.15.0) and not only are they both clean, but they are essentially identical in terms of size and content (open them in Notepad++ to compare).

[lanbladez]

Here is my proof, https://www.virustotal.com/en/file/6d70e8f7a0760ab2be8717ac1ddb50bdb69fd5c55c4afd22b864a3bad34ebd14/analysis/1363931479/

 

This is no fault at my end, since either they cleaned it up already or it did not effect all servers.

[Farlo]

Here is my proof, https://www.virustotal.com/en/file/6d70e8f7a0760ab2be8717ac1ddb50bdb69fd5c55c4afd22b864a3bad34ebd14/analysis/1363931479/

 

This is no fault at my end, since either they cleaned it up already or it did not effect all servers.

The two reports have a different checksum, so you definitely have a different file.  However, the Nexus log states that the mod hasn't been updated since "16:18, 21 Mar 2013".  I'm assuming that is in my timezone (PST) since the rest of the site seems to adjust to my local time, in which case the mod hasn't been changed in over 8 hours. 

 

When did you download the "dirty" file and from which server?  Also, I'd appreciate it if you could update your report or otherwise let the Nexus know that we're also collecting some data.

[lanbladez]

I downloaded it over 2 hours ago, and I just downloaded a new file and I am getting same check sums as you, they probably fixed this file on their back end, thus nexus would not show that the files was changed. As of right now the file is clean.

[Farlo]

I downloaded it over 2 hours ago' date=' and I just downloaded a new file and I am getting same check sums as you, they probably fixed this file on their back end, thus nexus would not show that the files was changed. As of right now the file is clean.[/quote']

I'm not trying to discredit your claims or anything, but I somewhat doubt that the Nexus would "fix" the mod and not bother to notify anyone.  It seems more likely that the mod would be taken down and the author banned to prevent them doing it again.

[lanbladez]

I do not think the author had anything to do with this, I think their system got hacked and a malicious file got inserted into the rar. Second of all why would they want to publicize that this file was infected, it would hurt their credit. Someone before me claimed that the files was infected previously, so I cannot be the only one.

[z929669]

I downloaded 1.15.1.0 at about 0600 GMT, and it was clean at that time. My results match Farlo's:

 

SHA256: c88819df771b72ab0bc969cff95d4947d0648693ded2c3b220ca75f326d97c85

 

 

What is the timestamp on the infected file for landbladez and Kelmych and Farlo (in GMT please)?

[EssArrBee]

The nexus uses lots of servers, so the infected file might not have made it's way through all the download locations. I choose Dallas mostly because I'm in Texas and it safe, so maybe it is a different server that is the source.

[Kelmych]

Nexus has an explanation for the problem on the front page. Some of their servers were hacked and for a short time period before it was fixed these servers were pushing a file with a virus.

[Ubeogesh]

I'd like use the opportunity and suggest not to run Skyrim or any other program as Administrator as many people suggest. This would save you the pain if you get a virus in SKSE plugin or some other custom dll\exe file you use in modding. The virus still might be able to do something bad in this case (i.e. send some of your data into the internet), but only in terms of your user profile (i.e. it won't damage your operating system)

[deathneko11]

The nexus uses lots of servers' date=' so the infected file might not have made it's way through all the download locations. I choose Dallas mostly because I'm in Texas and it safe, so maybe it is a different server that is the source.[/quote']

Another Texan :D