RPGM Completed Breeding City Welcomes you [v1.0.1] [meteo.H]

[Hitman Kazama]

It is clean UNTIL you play the game. If it's infected, it will try to create some files which will then execute to download the virus itself. IIRC, the changed file was one of the plugins in the www/js/plugins folder.

All files are from 2024 in all folders, including that one

 

[SlidingSubject]

All files are from 2024 in all folders, including that one

Considering there are ways to change the metadata of files, that doesn't say much.

 

[Hitman Kazama]

If you got it from here then it is that version. Maybe it got blocked for you? Or it has a timer sadly I have no idea about Java.

Go to Breeding City Welcomes You!\www\js\libs check the SHA256 of pixi.js
SHA256: 85aafadcf0855ce32d2412689491a58b59874d67703020d46372237ae0a4e967

In my case I have the same hash of the .exe, but it's not the same as the extension, in my case it's :
e8c3aba19cbdb6bfdfe7e9e06753329171731d1a05d5c49b750cc6656a31444a for pixi.js

 

[Hitman Kazama]

Considering there are ways to change the metadata of files, that doesn't say much.

I'm aware of that, that's why I'm checking the whole PC, I didn't play, I just opened it to see the home screen and know what game I've downloaded, I downloaded like 10 at a time and by name I didn't know what games they were, apparently the infected hashes are different from mine, that's why I need the date on which the link was changed, to have a plus of rest, otherwise I will be paranoid until I find something or not
This data cannot be changed, it is embedded in the file, if you change it, the hash changes, the top one is when the file is unzipped, the bottom one is the original creation

 

[shmurfer]

I'm aware of that, that's why I'm checking the whole PC, I didn't play, I just opened it to see the home screen and know what game I've downloaded, I downloaded like 10 at a time and by name I didn't know what games they were, apparently the infected hashes are different from mine, that's why I need the date on which the link was changed, to have a plus of rest, otherwise I will be paranoid until I find something or not
This data cannot be changed, it is embedded in the file, if you change it, the hash changes, the top one is when the file is unzipped, the bottom one is the original creation

Unlikely for pixl.js to have edited itself to hide its steps, if the hash doesn't match you should be fine. All it did was download the real virus after a while and at this point defender knows it exists and would attempt to block it. Sucks for the first few people to be hit by it but defender works fast to spread the defense out.

 

[Quirky]

So the virus had a timer of sorts? I played for about 10 minutes before seeing someone talk about it being a virus, at which point I deleted the dl, game and other game linked files. I didn't see anything weird in Appdata but I'm doing a full scan nontheless

 

[Aaron371]

so i got an outbound detection block from malwarebytes shortly after running the game, ran an Eset scan, picked up a Trojan in Users\"Username"\AppData\Local\MySupergame\updates called msedge_elf.dll

idk if it installs in the same place everytime.

I would like to know if i still need to go through and reset all my session keys and passwords or if malwarebytes saved my ass

btw im pretty sure the virus attempts to hook into the edge auto updater thats why its delayed since the autoupdater runs every hour

 

[shmurfer]

So the virus had a timer of sorts? I played for about 10 minutes before seeing someone talk about it being a virus, at which point I deleted the dl, game and other game linked files. I didn't see anything weird in Appdata but I'm doing a full scan nontheless

The game itself didn't actually have a virus which is why all the posts about virustotal don't work, no one's checking the exact trigger but are guessing after a while it connected to the internet to download the actual virus which does trigger virustotal.

I would like to know if i still need to go through and reset all my session keys and passwords or if malwarebytes saved my ass

How anal are you about security. You're probably fine, but what do you have to lose if you aren't?

 

[Hitman Kazama]

Unlikely for pixl.js to have edited itself to hide its steps, if the hash doesn't match you should be fine. All it did was download the real virus after a while and at this point defender knows it exists and would attempt to block it. Sucks for the first few people to be hit by it but defender works fast to spread the defense out.

I've also looked at the line that activates it according to a comment above, I don't have that line, my line is this

in the comment have

 

[Aaron371]

How anal are you about security.

Very

You're probably fine, but what do you have to lose if you aren't?

My time recovering accounts that get breached

 

[Hitman Kazama]

I'm clearly safe, but I still check the PC, Windows warned me three times that I found something even though it doesn't appear in the history, so since I don't know if it's this game or a false positive, I'm going to check anyway

 

[Hitman Kazama]

so i got an outbound detection block from malwarebytes shortly after running the game, ran an Eset scan, picked up a Trojan in Users\"Username"\AppData\Local\MySupergame\updates called msedge_elf.dll

idk if it installs in the same place everytime.

I would like to know if i still need to go through and reset all my session keys and passwords or if malwarebytes saved my ass

btw im pretty sure the virus attempts to hook into the edge auto updater thats why its delayed since the autoupdater runs every hour

Do it, if you are already sure that you have had something, clean everything, once you delete it, change all the passwords including Windows, especially that one, then clean the entire cache of the browser, with cookies no passwords are needed

 

[shmurfer]

My time recovering accounts that get breached

I was talking more about what accounts do you have saved passwords for? The truly important things I don't have saved.

Just change them at this point then, sounds faster than figuring out whether you should bother.

 

[Hitman Kazama]

Even if I use Two Factor authentication everywhere?

if they get a cookie with a login , they don't give a shit about 2FA

 

[Rare_Marionberry_784]

I'm kinda lost with Chiho, it says spot: dormitory after packing, but not sure what that 100% means and can't find her anywhere

 

[Hitman Kazama]

i see that, I'm free, I didn't see the time well, I saw the message and I moved like a wolf to look without seeing the time after seeing the day, in my case I downloaded it before 7 am, uncompressed at 7:03, that means in GMT at 5 am, the problem was at
in my case it was 18:16 GMT+2, so I'm free, God what a relief to know

 

[Orphan Tickler 3000]

I downloaded the infected game zip but never extracted or ran it, so I'm good right?

 

[TheRaven5138]

so it IS safe now right?

 

[pokiestick]

i see that, I'm free, I didn't see the time well, I saw the message and I moved like a wolf to look without seeing the time after seeing the day, in my case I downloaded it before 7 am, uncompressed at 7:03, that means in GMT at 5 am, the problem was at View attachment 5168062
in my case it was 18:16 GMT+2, so I'm free, God what a relief to know

Were the files changed after original upload of the new translation? Was there a time when you could have downloaded this new version and it was safe?

 

[Hitman Kazama]

Were the files changed after original upload of the new translation? Was there a time when you could have downloaded this new version and it was safe?

If you downloaded it before 4 pm no problem, if your hash e8c3aba19cbdb6bfdfe7e9e06753329171731d1a05d5c49b750cc6656a31444a for pixi.js is this in that file is fine, use a hash detector, do not use windows is a problem to try to know how, I downloaded the hasher, with it you can see all the hashes, the one that interests is 256, If you didn't play it, you only had it You're fine too, just delete it, only change that file