Animation/ Malware Downloader: 'SexMod_Anal Cum NZ'

[Oops19]

As some people asked me about the animation which showed a [Kritical] device used in an animation I try to give the information I have.

@ Moderators: I don't target a specific member, please do not delete the thread. By removing the whole download thread it may be hard for users who downloaded this mod to realize that it may do harm to your system.

This file requires that have custom content and script mods activated, which is very likely the case. For an animation it is too small (1kB) and the file suffix for all other animations is `.package`. This file is named `sexanalmod.ts4script`  (not `sexanalmod.package`).
It's a compiled python program (like all mods) which runs `Powershell` (so Mac users may be safe) to download Malware which is not detected by Defender, at least not by the version I use.

If you have a file `%TEMP%\dasadsasd.exe` or `sexanalmod.ts4script` in your Mods folder and started TS4 you very likely have now malware running on your system. Anyhow the malware may remove itself (I didn't test whether it does or not), in this case there would be no traces left.  Only if you played without internet connection or had the firewall configured to block all outgoing traffic you would be save.

 

 

Updates:
2022-04-05: 'SexMod_Anal Cum NZ' / 'SexModAnalCumNZ.ts4script'

2022-03-30:  'Sex Anal Mod' / 'sexanalmod.ts4script'
[no image, , sim sitting on animated Kritical device]


 

Edited April 5, 2022 by Oops19
another malware

[Gambit]

I don't understand why it's not an information given by admin staff. It's quite a serious problem with a quite not serious way to managed it.

[Oops19]

While one can report the content and the admins remove it quite fast it would be really nice if all users who downloaded it would get a notification in their inbox.
They are usually forum admins, so they do not really need to know how a malware loader works, so it may be hard for them to post information about it.

I may assume that the admins have nothing in place to inform the users who downloaded the mods, if this information is available at all.  It would be even better if all uploaded content would be scanned for ts4script or py (in zip/rar files) and be blocked unless it's uploaded to script mods or something like this. Setting such things up may take some time.

[Gambit]

10 hours ago, Oops19 said:

I may assume that the admins have nothing in place to inform the users who downloaded the mods, if this information is available at all. 

 

A sticky post with capitalized title like "VIRUS ALERT ON MOD XXXX" could be a start.

[Guest]

really makes yu not wanna risk any downloads here o.o

[Oops19]

In future you may no longer need to worry. https://github.com/Oops19/TS4-PrivacyProtector which requires S4CL will protect you quite good.
If it was available and installed back then it would have blocked the mods mentioned above. And it does block the trackers which random authors add to their script mods.
S4CL does not contain a tracker, neither does DD.

[Guest]

22 hours ago, Oops19 said:

In future you may no longer need to worry. https://github.com/Oops19/TS4-PrivacyProtector which requires S4CL will protect you quite good.
If it was available and installed back then it would have blocked the mods mentioned above. And it does block the trackers which random authors add to their script mods.
S4CL does not contain a tracker, neither does DD.

hmm i tried it. i dont know anything about codes or whatnont but it gave some warning thing and so i read the text. apparently i still had basement mod installed even tho nisa mod dont work for me. so i removed it. but i also removed the privacy mod because i dont understnad what all the inject this inject that stuff did .

[MrGrey]

I installed S4CL just to run this privacy protector. Now WW carpet bombs the upper right hand corner indicator with last exception errors.

Turns out WW doesn't like S4CL. Just one Last Exception tho. Why would you even do that? And how did I get in the middle of this fight? All I want is to run my games. I should learn how to make my own dang animation run and write my own mods. This pettiness is absurd. (I guess it's big money tho)

[Khaine2000DK]

Probably be good to find out if it's actually malicious or not too, think sometimes antivirus tag things as being malware if it tries to established connection to outside. Which some mods do in order to let you use links to patreons or stuff like that for support, but could also not be the case. But definitely seen some mod stuff which do try let you get established link to stuff like patreon or their mod page, which for many anti virus would flag up.

[Khlas]

5 hours ago, MrGrey said:

I installed S4CL just to run this privacy protector. Now WW carpet bombs the upper right hand corner indicator with last exception errors.

Turns out WW doesn't like S4CL. Just one Last Exception tho. Why would you even do that? And how did I get in the middle of this fight? All I want is to run my games. I should learn how to make my own dang animation run and write my own mods. This pettiness is absurd. (I guess it's big money tho)

 

to make it clear, wickedwhims has a feature for creating anonymous feedback directly from the game, so it needs a script to send what you write to a net page or something. It's not because a mod got flagged as malware by this mod that it's something wrong. Oops19 just like participating in that unnecessary hunt hate about WW/DD. An attempt at least, guess it failed, too bad.

You don't need to download any of those privacy protector mods. Be more smart and don't download mods blindly. See if the author is verified, known, and active first. Self-awareness is more powerful than any tool or antivirus you can download.

Edited June 7, 2022 by Khlas

[Oops19]

3 hours ago, Khlas said:

 

to make it clear, wickedwhims has a feature for creating anonymous feedback directly from the game, so it needs a script to send what you write to a net page or something. It's not because a mod got flagged as malware by this mod that it's something wrong. Oops19 just like participating in that unnecessary hunt hate about WW/DD. An attempt at least, guess it failed, too bad.

You don't need to download any of those privacy protector mods. Be more smart and don't download mods blindly. See if the author is verified, known, and active first. Self-awareness is more powerful than any tool or antivirus you can download.

'See if the author is verified, known, and active first.' If you used the Privacy Protector you would have realized that authors of well-known mods have trackers in their mods.
I can tell you that DD and S4CL didn't and currently don't have trackers and also DD users may care about their privacy.

'to make it clear, wickedwhims has a feature for ...' was quite a good start. I'm not allowed to post things which would attack the author of this mod here so I will not post whether or not this mod contains a tracker which sends random information directly to the author of the mod every time you start the game. Reading my first sentence in the reply you may guess what I would have written here if I were allowed to.

'anonymous feedback' does not exist at all. I expect that people who open a browser page by clicking on a link know that they send their IP, location/city, operating system and version to the feedback page. If it is a public form on Google or Microsoft the requestor will get only some of this data.
If it's a privately hosted server then all data will be available and collected as no data protection policy exists. That's the case for most mods which add internet links. With a VPN one can at least hide the IP.

Edited June 7, 2022 by Oops19

[Oops19]

8 hours ago, MrGrey said:

I installed S4CL just to run this privacy protector. Now WW carpet bombs the upper right hand corner indicator with last exception errors.

Turns out WW doesn't like S4CL. Just one Last Exception tho. Why would you even do that? And how did I get in the middle of this fight? All I want is to run my games. I should learn how to make my own dang animation run and write my own mods. This pettiness is absurd. (I guess it's big money tho)

I assume some eval() statements have been found, anyhow not the one used to run malware in the past. These will not be blocked anyway so you may wonder why for gods sake eval() is used in this mod.
Maybe some more things like this have been found. They will all not be blocked by the scanner at all, even though you can be sure that they are evil:

!! Found 'FTP' in '\folder\mod.ts4script(file.pyc)': ['6remove)\x01\xda\x03FTP\xfa\x01|r@\x00\x00\', ...]

==> It's not clear what ftplib.FTP() command is executed, but for sure it's a tracker or malware downloader.

 

!! Found 'open' in '\folder\mod.ts4script(file.pyc)': ['1\x10\x01\xda\x16mc_open_url_in_browser)\x01', '\nwebbrowser\xda\x04open)\x03rq\x00\x00\x00r']

==> Opening a web site sends at least your IP to a server, often also the operating system is submitted. The request itself may contain other personal information as URL parameters.

 

!! Found 'urlopen' in '\folder\mod.ts4script(file.pyc)': ['eREQUEST_HEADERZ\x07urlopen\xda\x16_parse_versi'] 'urllib.request.urlopen()'

==> Yet another way top send private data to a server.

 

!! Found 'Request' in '\folder\mod.ts4script(file.pyc)': ['\xda\x07requestZ\x07Request\xda\x0eREQUEST_HEAD'] 'urllib.request.Request()'

==> Is also used in some mods with trackers.

I assume some calls have been blocked and if you look at the stack trace you may find something like this:

T:\InGame\Gameplay\Scripts\Core\sims4\commands.py#398 '' in 'invoke_command()'
...\privacy_protector_light\commands.py#95 'os.system(command)' in 'o19_debug_priv_shell()'
...\privacy_protector_light\privacy_protector_light.py#283 'O19PrivacyProtector.log_data('os.system', *args, **kwargs)' in 'o19_override_os_system()'
...\privacy_protector_light\privacy_protector_light.py#57 'thread_details = traceback.extract_stack(sys._current_frames()[thread.ident])' in 'log_data()'

Likely not initiated from the commands.py file (which may open a Powershell / Bash / Browser to ea.com and must be installed manually) but from a mod you have installed.
If it's `os.system()` you can be quite sure that the malware has already been downloaded and executed, unless it targets only Powershell and you're on a Mac.

[MrGrey]

The patreon version of WW has a way to send feedback. So, that certainly opens a link to send something from in-game, which explains the open http commands that the PP found.  Is it really anonymous? I really don't care too much about that.  What I care about is that WW checks to see if there are competitor mods loaded and  S4CL is flagged thusly:

And here's the feedback form; running the Lover's Lab version of WW. This would explain the "open http" that was discovered by Opps19s PP

Edited June 7, 2022 by MrGrey
Add another screenshot showing feedback form, and add spoilers cause Nvidia takes screen shots that are too dang big.

[Oops19]

4 hours ago, Khaine2000DK said:

Probably be good to find out if it's actually malicious or not too, think sometimes antivirus tag things as being malware if it tries to established connection to outside. Which some mods do in order to let you use links to patreons or stuff like that for support, but could also not be the case. But definitely seen some mod stuff which do try let you get established link to stuff like patreon or their mod page, which for many anti virus would flag up.

Technically it's easy to ask the user for consent to download and install a mod update form within TS4. If EA offered servers for mod uploads it would be implemented already. But the TS4 TOS don't allow this, no matter how good the intentions of the mod authors are. Privacy protector should blocks such download (or data upload) requests. One could add an option for an allow-list to add mods and methods while it would be safer for everyone if mod authors would simply not use such methods.

[Khlas]

36 minutes ago, Oops19 said:

'See if the author is verified, known, and active first.' If you used the Privacy Protector you would have realized that authors of well-known mods have trackers in their mods.
I can tell you that DD and S4CL didn't and currently don't have trackers and also DD users may care about their privacy.

'to make it clear, wickedwhims has a feature for ...' was quite a good start. I'm not allowed to post things which would attack the author of this mod here so I will not post whether or not this mod contains a tracker which sends random information directly to the author of the mod every time you start the game. Reading my first sentence in the reply you may guess what I would have written here if I were allowed to.

'anonymous feedback' does not exist at all. I expect that people who open a browser page by clicking on a link know that they send their IP, location/city, operating system and version to the feedback page. If it is a public form on Google or Microsoft the requestor will get only some of this data.
If it's a privately hosted server then all data will be available and collected as no data protection policy exists. That's the case for most mods which add internet links. With a VPN one can at least hide the IP.

 

Sharing data are done everywhere on the net. It's not gathering data that is wrong, it's what kind of data collected and how it's used that is important. 

 

 

Edited June 7, 2022 by Khlas

[Oops19]

2 minutes ago, MrGrey said:

So, that certainly opens a link to send something from in-game, which explains the open http commands that the PP found.  Is it really anonymous?

Of course it's not anonymous, it violates the TS4 TOS and maybe the EU GDPR. The mod author should remove such code to open a page without complaining.

[Oops19]

5 minutes ago, Khlas said:

how it's used that is important. 

I would add that the data may (should) only be used with the users consent.

A mod which uploads user data somewhere without any consent is something not all users want to have on my computer.
For me it's enough that EA collects tons of data, I don't need any other user/modder on the world who collects similar data.

[MrGrey]

4 hours ago, Khlas said:

 

You don't need to download any of those privacy protector mods. Be more smart and don't download mods blindly. See if the author is verified, known, and active first. Self-awareness is more powerful than any tool or antivirus you can download.

Your first sentence tells us to run mods blindly. The second sentence tells us not to download and use mods blindly. And who verifies mod authors?  Both authors are known and active, Nutty is more on Vortex than here. Vortex does a virus check on mods it hosts.   I just don't know what to do with your advise.  

 

Competition in the mod market would be nice. I tried DD base mod, not into all the add on packages, and didn't like it because it requires every NPC and PC to be bi and the author kind of suggested tough noogies if that not your game, iirc.

[MrGrey]

Okay, the errors are reported by MCCC and not WW, which then dumps an file with just two lines:

Quote

[Jun-07-2022 08:02:03]Initializing MC Command Center version: 2022.2.0...
[Jun-07-2022 08:08:57]Initializing Zone Data...

Okay.... that was ... interesting. Maybe because it was from last night's game? it seems to start a new log, erasing the old log. So, I need a new error as these errors are 17 hours old

There are more than a dozen of the little orange warnings - which is kind of annoying.

 

[Khlas]

11 minutes ago, MrGrey said:

Your first sentence tells us to run mods blindly. 

 

No.

[Khlas]

30 minutes ago, Oops19 said:

I would add that the data may (should) only be used with the users consent.

A mod which uploads user data somewhere without any consent is something not all users want to have on my computer.
For me it's enough that EA collects tons of data, I don't need any other user/modder on the world who collects similar data.

 

There's data that don't need the user's consent to be collected. Your opnion doesn't matter, it's how it works. I agree with you tho that it should ask consent for everything, but it can't work that way.

Edited June 7, 2022 by Khlas

[Oops19]

18 minutes ago, Khlas said:

There's data that don't need the user's consent to be collected.

I don't know where you live, for some countries this is true.
Of course providers need to store data about access to their servers but it's one thing to only store the data in case one needs them to track down a cyber attack and a complete different story to use this data as soon as it is available.

[Gambit]

I don't think the goal of the mod is to harm WW. At contrary, it make this mod safer. If self alertness is mandatory for avoiding "bad mods", only a few modders make their python source code open. And it's quite hard for common folk to uncompile the code and detect any potential threat.

 

TD should have added in their config an option to allow/prevent data sharing (like EA does). And they should have informed people about what data they collect, for what usage and for how long they would keep it.

Edited June 9, 2022 by Gambit