Search the Community
Showing results for tags 'optifined'.
This is a repost from this thread coming from a different board as suggested. --- Hello, Malwarebytes forum! Would like to report the existence of malware, of files coming out of the following URL: https://planetlemoncraft.com/ The website Planet Lemoncraft has been known for a long time for providing alternate download links for modifications for the game popular game Minecraft, which is hosted by themselves. Unfortunately for me, I was negligent in my vigilance this time and I downloaded one of the files from their server, called "Minecraft Forge", which is supposed to be an open source API for modders. Of course, the file that gets downloaded is not the actual "Minecraft Forge" as I soon discovered that the mod I'm looking for is hosted ONLY on the developers' official website ... but alas. It directed me to a site whereupon I got a "personalized" .msi file that is supposed to install the program. By personalized, I mean that no two downloaded files are alike. For instance, the attached file is called "minecraftforge_38876.msi", while when I downloaded one, it was called "minecraftforge_xxxxx.msi", with 'x' being any random number. It is worth noting that the actual Minecraft Forge installer does not come in an .msi file, but a .jar executable. I foolishly ran the file and went ahead with the installation. Upon completion, I got a Shortcut in my downloads folder called "MinecraftForge.lnk". Opening this takes me to a website whereupon another .msi is asked to be downloaded. At this point is when I stopped (or I was foolish enough to download it as well), when I got suspicious and looked at the new .msi file's certificates, which is certified for a "GanyMobile SAS" (or something like that) which should make it clear that it was malware. I immediately returned to my Downloads folder to purge all the files, but when I opened the folder, I see that the original .msi file has deleted itself upon running. I confirmed this by downloading another file from the same link (ridiculous, I know), which provided another personalized file, and when running the installer it automatically deletes itself (of course I didn't run the installer fully this time, I only opened it once to confirm that it auto-deletes itself upon running). Most troubling of all this is that Malwarebytes did not react to anything at all. I scanned the second downloaded file multiple times, as well as this one in the attachment, and I've gotten negative results. I even ran SpyHunter (suggested by a thread that suffered from this same issue) and found 0 results as well... I've had a manual look through %AppsData%, Program Files, and Common Files, and couldn't find anything that seems out of place. Perhaps I was lucky that I didn't get one that's packed with trojans, or there's an undetected trojan/keylogger sitting in my computer that will f**k my PC up for my carelessness. Please do have a look at the file attached as well as the downloadable .msi from the first link provided at the start of my post. I am aware that I am posting have posted this thread on the Newest Malware Threats board instead of the Newest IP or URL Threats. My current concern is with the status of my PC and whether it's currently susceptible to malicious activity or not, since I ran the suspected software. If I have indeed miscategorized the thread, then I apologize and I humbly request that this thread be moved to the other board instead of being deleted. Please do let me know how to proceed. Terribly anxious about the consequences of my error. I'm still hoping that it was a shortcut launcher and nothing worse... Thank you! -CrimsonSymphony (Attachments details can be found in the next page) The files attached are: FRST.txt Addition.txt minecraftforge_38876.rar - contains an .msi file similar to the one I downloaded minecraftforge.exe.rar - A .rar file containing the .lnk shortcut that was made upon the .msi file's completion (not 38876! do recall that the .msi auto-delete upon running) Screenshots 01 to 08 - Screenshots to help illustrate the description above. I did not take screenshots of the .msi file as I did not want to run it a third time. However, screenshots uploaded by others (for similar files downloaded from the same website) can be found in the Reddit links below. --- Please find results from the online virus scanners as suggested by the stickied thread of this board: VirusTotal - https://www.virustotal.com/gui/file/3da1a0b6a681f4d61cefd8f3a4806bf46336b053d19698e5eb86668dfb9663f8/detection Jotti - https://virusscan.jotti.org/en-US/filescanjob/ntknys4e8n VirSCAN - https://r.virscan.org/language/en/report/b75fc47a3b95ccb2fe212f25d6b0f498 --- A Reddit user u/Chengers had a look into this issue for a similar program (also for Minecraft) called Optifine, which is also "downloadable" from the deceiving URL mentioned earlier. He has written two in-depth posts about this which may come in useful for you guys: A dive into the fake Optifine variant "Planet Lemon Craft" and an analysis/write-up of what it actually does. - https://www.reddit.com/r/Optifine/comments/eo1hq5/a_dive_into_the_fake_optifine_variant_planet/ Hello all, The "Lemon Optifine" fake optifine exe has changed what it installs. I have just logged it with procmon and I need community help to filter through the ~13000 lines of logs to possibly make a .bat cure. - https://www.reddit.com/r/Optifine/comments/fus7vb/hello_all_the_lemon_optifine_fake_optifine_exe/ FRST.txt Addition.txt minecraftforge_38876.rar minecraftforge.exe.rar