Win32/Gleamaster.A

[Senzorei 3]

NOTE: You can skip the wall of text if you want to get to the important part. So, this morning ESET found a virus on my PC (first detection 8/11/2014) Win32/Gleamaster.A . I know how I got this and how it affected me (IDK about anyone else). So I was playing CS 1.6 on international servers and I somehow had this weird thing; several of the game's configuration files were getting replaced (or were in use) constantly. It bugged me since pretty much all the unused buttons were bound to connect you to a*l*e*m*s*e*s.*r* (domain) so I just blocked write access for myself to the affected files. This morning, when I booted up, NOD 32 detected some threat in %appdata% (%currentuser%\appdata\Roaming\glister) so I decided to investigate. Made a copy in my personal quarantine folder. There were 4 files in total - acfg_options , nvm , ucfg_options (all with no extension) and nvm.dll (which I can't recover anymore since I deleted it and all of the copies are gone from the present and previous versions (system restore) folders) and it's the threat that got detected in the first place. The DLL was ran under regsvr32.exe and I thought that regsvr32 appearing in the tskmgr was nothing to raise the red flags for since something might have changed in an update. What I did with the files is I tried giving them a text extension and running them sandboxed - to my surprise they opened. And looked at the contents.

acfg_options.txt (guessing this to be short for "autoexecconfig_options")

frequency=10

timeout=30020

command=Connect allnetmaster.org:27015

nvm.txt

C:\Users\%currentuser%\Desktop\Stuff\Games\Counter-Strike 1.6

ucfg_options.txt (guessing this to be short for "userconfig_options")

frequency=10

timeout=30020

command=Connect allnetmaster.org:27015

 

I made this thread so people know some specifics about the virus, since virusradar has literally no info on this threat.

What it does is it replaces some of the game files (2 *.cfg and 1 *.res file) so you get your unbinded keys bound to connect commands so you keep getting unwillingly connected to their servers. More of a PUP, nothing serious, but what people should know about nonetheless. EDIT: The md5 hash of the nvm.dll is "dc265339e77d4cb0ef6ecbd9da3cf758" Virustotal: https://www.virustotal.com/en/file/e086c75a691a779eda52a82406ca9ed1f4d6c6ab4eca973e64226a0148d708b6/analysis/1415523880/

Edited November 9, 2014 by Senzorei

[Void 4]

Hi,did you experiance any wierd IE or Firefox or Chrome windows opening up when you join servers?
This is caused by motd which apparently is used for advertisements when entering servers.
Motd may open a link which would be used to download malware.
When going to certain servers which aren't from hostings you can trust this may happen.
Try google-ing this:HLProtector R05 Final or something similar.

If you need more help or can't find it reply and I'll post a link.

[Senzorei 3]

I'm not exactly sure, as it happened almost 2 years ago. But that's probably the cause of this case. P.S. found another file linked to this somewhere in ProgramData (that points to the old directory of a Half-Life installation) I think (cleaning up computer =) )

Edited December 16, 2014 by Senzorei