Important Update Regarding Network Addon Mod 48 on ModDB | Potential Security Issue

[Ulisse Wolf 4,412]

Security Breach

On October 4, 2024, a hacker hacked the NAM Team account of ModDB by uploading a version of NAM 48 that contains a trojan virus

Version 48.1 was uploaded to ModDB where the hacker modified the bat file that automated the installation of the 4GB Patch and automatically started the NAM java installer. A link to a version.cpl file was inserted in the bat file code, which is the main vector of the Trojan virus infecting your computer.

Only thanks to a report today we have discovered the security incident and are acting quickly as well as performing investigations on how it was possible and future actions to be taken

The mode of attack is very similar to the security incident that occurred in Cities Skylines 2 and so we are thinking that the affected users may be those who have cryptocurrency but we cannot confirm this until fully investigated.

The affected users are all people who have downloaded to Simtropolis and ModDB and use Windows and Linux  as their operating system. We recommend actively running antivirus scans if you consider you have been infected and possibly changing passwords as well as enabling 2FA on your accounts

Preliminary analysis

We examined the file version.cpl using Virus Total which identifies us that it is a trojan and you can see the results here

https://www.virustotal.com/gui/file/b5c1be38f385ea14b012d91c161ecaefd1ccc7baecd98b180cd98de318f4ceb3

We also examined the NetworkAddonMod_Setup_Version48.bat of the infected version using Virus Total

https://www.virustotal.com/gui/file/8c6588bd909d1d11eb1f4ccd0d7d1babbb759e1fd2d56725bd80836657b39d57

In addition, ModDB's security system was found to be ineffective in preventing this problem

Mitigation Damage

Currently the Simtropolis download of NAM 48 has been redirected to the SC4E version.

NAM lite version is safe. They did not require corrective action

We have suspended our collaboration with NAM Team and ModDB indefinitely. We will re-evaluate this decision when we feel that the security of ModDB is much improved

Results of investigation

Currently, the NAM Team is investigating the malicious nature of the file and is working with the ModDB Team to reoslvere the problem and the security flaws that were found

The ModDB Team is investigating how this cyber attack could happen.

We will update this Thread based on the results of our investigations.

 

Frequently Asked Questions

• I downloaded the file to ModDB / Simtropolis before October 4. Am I infected?

From our analysis, those who downloaded the file before Oct. 4 are safe from infection

• I downloaded the file to ModDB / Simtropolis after October 4. Am I infected?

Unfortunately, yes. From our initial analysis, the virus activates if NetworkAddonMod_Setup_Version48.bat is run.

• I ran NetworkAddonMod_Setup_Version48.bat from the infected download. What should I do?

We recommend running an antivirus scan on your computer. If you feel that the antivirus scan does not meet your expectations then you should perform a clean reinstallation of your operating system. Only after you feel confident can you perform the Password change procedure and enable 2FA on your accounts

• I downloaded NAM Lite from ModDB. Am I infected as well?

No. The hacker only modified the full version of NAM. We have done some verification and the NAM Lite version is safe

• Is the SC4Evermore version also inffect?

The SC4Evermore version of NAM is secure, since access to file upload procedures has controlled access and only authorized persons can do so

• I have Linux and downloaded the file from ModDB. Am I infected as well?

Yes

• I have MacOS and downloaded the file from ModDB. Am I infected as well?

From our initial analysis the virus is only compatible with Windows and Linux environments so it should not activate on macOS but for all evidence we recommend running an antivirus check and changing passwords to your accounts and enabling 2FA

• I am an expert in cybersecurity. Can I access the offending file to perform an analysis?

The policy of SC4Evermore and Simtropolis is not to host viruses on our sites. The NAM Team has a copy of the infected version so if you want to run analysis you can come to the SC4Evermore discord server and contact the Admins

• When do you report the results of the investigation?

Forensic investigations take time. When we have concluded the investigation we will communicate the result

• I am using SC4Multiplayer (SC4MP). Am I infected as well?

If you are only using the client you are not infected while those who host the server may be infected with the Trojan virus so we recommend that you run an antivirus check

A troubleshooting flow chart made by @Kurzov22 is available. Please be advised that this flow chart is to be considered temporary as investigations are ongoing

Tarkus' blog is also reporting on this security incident

https://simtarkus.wordpress.com/2024/11/27/security-threat-alert-NAM-removed-from-moddb-after-hacker-inserts-malware/

[kschmidt 6,164]

Checked, it´s long befor October 4, 2024 downloaded and extracted using JAR extension manually ! This shows how funarable scripss are compaired to exe distributions. Their would be chaois if a the Commen Dependecy Pack would be affected. I never trust scrips always do manual extraction !

[axxxel_v 4]

I have the same problem,can access the site only mobile

[Ulisse Wolf 4,412]

34 minutes ago, vetram said:

Today i have problem opening simtropolis ..a meessage apear telling access forbitten !  This hsppens till now from morning! Do you know anything,?

 

6 minutes ago, axxxel_v said:

I have the same problem,can access the site only mobile

This is a simtropolis problem and is not related to this security incident.

For technical issues related to simtropolis you need to post here

 

[ohdude 2,353]

Following @Kurzov22 troubleshooting flow chart: Why after checking the quarantine section and whether it has a file (version.cpl) is my device still infected? Is not supposed that the antivirus isolated the file and the OS keep going well? I mean, after receiving the antivirus warning and the consecuent file isolation, I ran Windows defender antivirus and Bitdefender antivirus, both for virus system scan, and no virus was found.

 

Other question. In the following screenshot, it appears that other security vendors analysis found other virus. My Bitdefender antivirus detected Trojan.GenericKD.74637016. That mean I was infected by the other which bitdefender didn't find?

Thanks in advance!

[Ulisse Wolf 4,412]

1 minute ago, ohdude said:

Why after checking the quarantine section and whether it has a file (version.cpl) is my device still infected? Is not supposed that the antivirus isolated the file and the OS keep going well? I mean, after receiving the antivirus warning and the consecuent file isolation, I ran Windows defender antivirus and Bitdefender antivirus, both for virus system scan, and no virus was found.

 

Other question. In the following screenshot, it appears that other security vendors analysis found other virus. My Bitdefender antivirus detected Trojan.GenericKD.74637016. That mean I was infected by the other which bitdefender didn't find?

Thanks in advance!

Investigations are ongoing. We still don't know what the virus actually does. Until we know we cannot answer all the questions.

What we can say is to run the antivirus check and as a last solution, we recommend that you perform a clean reinstallation of the operating system as well as change passwords and enable 2FA in your accounts

 

[Kurzov22 18]

1 hour ago, ohdude said:

Why after checking the quarantine section and whether it has a file (version.cpl) is my device still infected?

It's a malicious Control Panel menu, given the file extension, so it might have a way to stick around. Maybe it infects other files, maybe it doesn't. It's still being looked into, so it's safer to instruct folks to still treat the fact that the file was quarantined as "You were infected and should take precautions to secure your data" since we aren't sure about the capabilities of the malware yet.

Quote

Trojan.GenericKD.74637016

That is basically just a generic "The AV doesn't know what malware it exactly is, but it's probably malware" detection, on BitDefender's part. Something called heuristic scanning. Different virus scanners take heuristics into account in different ways, which explains the differences on the VirusTotal page.

[vetram 221]

i think i found it using Windows Defender and scan NetworkAddonMod_Setup_Version48.1.zip folder . is it Trojan:Win64/Shelood.MBXY!MTB ? 

Windows Defender reports that its status is failed  and the thread might not be completely remediated ...what do you suggest  next to do?

[Kurzov22 18]

5 hours ago, vetram said:

i think i found it using Windows Defender and scan NetworkAddonMod_Setup_Version48.1.zip folder . is it Trojan:Win64/Shelood.MBXY!MTB ? 

Windows Defender reports that its status is failed  and the thread might not be completely remediated ...what do you suggest  next to do?

That's the one. Delete/Remove it.

[crazychrisffm 38]

I had to download the infected version and when sorting my downloads I had strange graphic glitches when touching the file.
Luckily I hadn't installed it yet, which I think is necessary to get infected if it's an executable (please correct me if I'm wrong).
Full Defender and Malwarebytes scans didn't find anything either. I also searched for the .cpl with UltraSearch and also found nothing.

Hopefully no serious problems (as with CS2) have occurred.

Thanks to the Simtropolis team for the info and keeping this page up. My heart was already bleeding when I wanted to return to LEX after years.

To the malicious person who did this: Karma gets everyone.

[IL. 1,043]

I advice everyone who work with their computers and like to play modded games and who like to play multiplayer games over online LAN with programs like GameRanger to use a seperate computer for gaming and use it only for gaming to avoid any potential problems, so even when that compter gets viruses or hacked you won't risk loosing important files, that's what I started doing after getting hit by a ransomware once, thankfully I always keep my work backed up but I still lost 2 months of work that I didn't backup. 

[smf_16 1,835]

19 hours ago, Ulisse Wolf said:

we recommend that you perform a clean reinstallation of the operating system

I was thinking, I'm still on Windows 10 but I am able to upgrade to Windows 11. I guess upgrading to Windows 11 also counts as a clean reinstallation of the operating system, right? I was going to do it anyway in the coming months, so might as well do it now if it helps.

[Kurzov22 18]

2 minutes ago, smf_16 said:

I was thinking, I'm still on Windows 10 but I am able to upgrade to Windows 11. I guess upgrading to Windows 11 also counts as a clean reinstallation of the operating system, right? I was going to do it anyway in the coming months, so might as well do it now if it helps.

Yeah. Just make sure you select the regular install, not "Upgrade" (as that option will keep your files intact, afaik) 

[marshkie 4]

I encountered this nearly two weeks ago while trying to install the mod for the first time. In retrospect I should've brought it up here as well instead of only on the discord server.

[LordKane 2]

19 hours ago, IL. said:

I advice everyone who work with their computers and like to play modded games and who like to play multiplayer games over online LAN with programs like GameRanger to use a seperate computer for gaming and use it only for gaming to avoid any potential problems, so even when that compter gets viruses or hacked you won't risk loosing important files, that's what I started doing after getting hit by a ransomware once, thankfully I always keep my work backed up but I still lost 2 months of work that I didn't backup. 

thats good advice in a sense but not for the financially impaired like myself. 

 

On 2024-11-27 at 5:42 PM, Kurzov22 said:

It's a malicious Control Panel menu, given the file extension, so it might have a way to stick around. Maybe it infects other files, maybe it doesn't. It's still being looked into, so it's safer to instruct folks to still treat the fact that the file was quarantined as "You were infected and should take precautions to secure your data" since we aren't sure about the capabilities of the malware yet.

That is basically just a generic "The AV doesn't know what malware it exactly is, but it's probably malware" detection, on BitDefender's part. Something called heuristic scanning. Different virus scanners take heuristics into account in different ways, which explains the differences on the VirusTotal page.

any updates at all? I hit my system with a quick scan with defender and a malware bytes scan and nothing is found  I really rather not have to reinstall windows as I dont have the capability to do that right this minute. 

 

 

Fxxk it: I went full bore both barrels called in an air strike too. Even though a virus scan by windows defender AND malwarebytes turned up CLEAN I checked to sadly see I had archived the infected 48.1 zip to my back up drive and my portable SSD they are gone now and I REALLY HOPE this thing doesn't randomly infect files across drives or from the zip, I bloody fxxking REPARITIONED MY WINDOWS DRIVE so it should be gone if I was infected, then I removed the zips from external SSD and back up drive, I just finished resetting passwords from my chromebook. 

I really hope this doesn't infect other files or hides in the bio/uefi or usb thumb drives or whatever. I pray to the almighty it doesn't. 

  Edited November 29, 2024 by LordKane  

[mindaugas 18]

Scanned the NAM folder in my downloads and plugins with MS defender and reported clean. I checked the NAM folder I extracted and saw version.cpl. Then I right clicked to edit the bat to find out if the link was in there and version.cpl disappeared. Nothing reported in MS defender. I'm doing a full scan now and will try another AV. 

Anyone else seen version.cpl disappear on its own? Is there a legit version.cpl?

[mindaugas 18]

18 hours ago, smf_16 said:

I was thinking, I'm still on Windows 10 but I am able to upgrade to Windows 11. I guess upgrading to Windows 11 also counts as a clean reinstallation of the operating system, right? I was going to do it anyway in the coming months, so might as well do it now if it helps.

No, that's not a clean install. Clean means formatting your storage and running win 11 install from a USB stick. Google windows 11 installation media and you'll find MS installer that will format a USB stick for you. Youtube should have some tutorials on a clean install.

[mindaugas 18]

26 minutes ago, mindaugas said:

Scanned the NAM folder in my downloads and plugins with MS defender and reported clean. I checked the NAM folder I extracted and saw version.cpl. Then I right clicked to edit the bat to find out if the link was in there and version.cpl disappeared. Nothing reported in MS defender. I'm doing a full scan now and will try another AV. 

Anyone else seen version.cpl disappear on its own? Is there a legit version.cpl?

nm, sneaky defender found it when I touched the folder and removed it but didn't pop up a notification. Despite it being severe. I found it under protection history ... Pretty sure I used the jar file to install but better safe than sorry. Guess I'm formatting and reinstalling windows. 

Btw, I searched my history in chrome for moddb and found I downloaded on Oct 9th. My download link still works as well, so moddb hasn't completely removed NAM files. 

If you use your MS account to sign in to the PC you're playing SC4 on, change your password. And ALL your passwords to EVERY account you have. Along with formatting and reinstalling windows. Google shelood trojan for more info. 

[Kurzov22 18]

23 minutes ago, mindaugas said:

Anyone else seen version.cpl disappear on its own? Is there a legit version.cpl?

That was probably your AV finding the file and throwing it out.

As for the latter question: As far as I'm aware, there is no such thing. The "About Windows" dialog, where you'd find what version of Windows your computer is running, is seen in a system application by the name of winver.exe - not a control panel menu.

23 minutes ago, mindaugas said:

No, that's not a clean install. Clean means formatting your storage and running win 11 install from a USB stick. Google windows 11 installation media and you'll find MS installer that will format a USB stick for you. Youtube should have some tutorials on a clean install.

To avoid confusing others: The Windows setup gives you two options when you are installing Windows: "Custom" and "Upgrade".

"Custom" is the "install from scratch" option, and it's the one folks looking to do a clean install should pick. The "Custom" option will bring you to a drive selection page. When you get to this menu, you should see a couple of buttons above the list of drive(s) you have on your computer, like "New", "Format", and so on. Make sure you click FORMAT on the drive that had your previous install of Windows - for most folks, the drive you're looking for will be labeled as "WINDOWS", "DISK 0", or "C:". If you forget to do this, I believe the setup goes ahead and reformats the drive for you, if you select the drive that already has Windows installed on it.

"Upgrade" keeps your files and (some) settings intact and upgrades/reinstalls Windows (e.g. from 10 to 11). Don't pick this option if you want to do a clean install, even if you're upgrading from Windows 10 to 11. If you're booting off a burned DVD or a USB drive, it shouldn't let you pick "Upgrade" (as it requires you to have already booted into Windows).

 

During the install process Windows will ask you for a product key. If your computer case didn't come with a product key sticker on it, or if you lost it, go ahead and select the "I don't have a product key" option.

After that, it'll give you a list of different "editions" (such as "Home", Professional", and so on) to pick from. If you've put in your product key, it should just have a few options, possibly only one. If you didn't put in a product key, it'll have a lot of options. Make sure you select the edition of Windows that matches the edition of Windows you had on your previous install (doubly so, if you're upgrading from Windows 10 to Windows 11). If given the option between a "Windows 10/11 [edition]" and "Windows 10/11 [edition] N", pick the one without the letter N at the end. 

If you don't know what edition you have, it should say in that "About Windows" dialog I mentioned earlier (though, of course, check *before* you format the drive). If you had a properly licensed and activated installation of Windows on your old install, it should go ahead and carry over to the new install.

[rsc204 21,808]

On 28/11/2024 at 1:42 AM, Kurzov22 said:

It's safer to instruct folks to still treat the fact that the file was quarantined as "You were infected and should take precautions to secure your data" since we aren't sure about the capabilities of the malware yet.

Sadly this is the reality. The only way right now to be certain that this threat has been removed from your system is to make a fresh installation of Windows including a full format of the OS drive.

• If your AV caught the problem, i.e. told you about it BEFORE you ran the BAT file, then it being quarantined is probably OK.
• If your AV allowed you to download, extract and run the infected file without any warnings, you can't trust it to remove it entirely from your system either.

The information on Virus Total is frankly very generic, to really understand what any virus does, you need someone who understands these things to investigate. It could simply be that deleting all instances of the file known to be malicious, version.cpl, is enough to remove the problem from your system. However, many viruses once they have been ran, will start to self-replicate and modify things like the registry and boot related files to ensure it starts with Windows. Given that a .cpl file is a control panel applet, it in theory has access to the underlying system if you run it.

However it is important to understand the difference between having an infected file on one of your drives and having actually allowed it to access the system (run). Provided you have not ran the .BAT file inside the NAM Download, nor directly the .CPL file, then all that is required is to delete all instances of these files from your machine. Frankly, I'd delete the entire .zip and any files from that package and download an official version instead. Likewise if you have the virus on a disk other than your OS/System disk, just delete the files from them.

Only in the case that you have ran the modified .BAT file or Version.CPL directly, will your system be compromised. However, if you can not be 100% sure that this didn't happen, again the only 100% safe solution is a complete format and clean install of your system drive (Windows). I know it sucks, but right now we can't rule out that having been ran, that it hasn't created/downloaded other malware or compromised the security of your system.

[vetram 221]

1 hour ago, rsc204 said:

• If your AV caught the problem, i.e. told you about it BEFORE you ran the BAT file, then it being quarantined is probably OK.
• If your AV allowed you to download, extract and run the infected file without any warnings, you can't it to remove it entirely from your system either.

Unfortunately , if i remember well i belong in the second case... Using Windows Defender in Windows 10 i received the exactly same message as @mindaugas  mentioned above..Status:Quarantined....  i looked for a way to delete it , but it seems i couldnt !... finally i used Norton 360 Standard edition  and i had better luck with it as delete it finally ! ..

Also , i have a second new laptop with Windows 11  ( which i bought recently)  to which i had also download (or copied and past i dont remember) the same infected NAM file...!   in fact i dont remember if i run the modified .BAT file or Version.CPL....  i checked it with Windows Defender and i received the same message ...the difference was that this time windows 11 let me take the action to delete it !  ..i read somewhere that windows 11 has the ability to delete it , but windows 10 cannot..

i stayed somehow calm after deleting it , since i read this...

2 hours ago, rsc204 said:

the only 100% safe solution is a complete format and clean install of your system drive (Windows).

do you have any suggestion ? ...

Thanx Antonis 

 

 

[Sniffeh 121]

The last version I installed was "NetworkAddonMod_Setup_Version48.1." I patched the exe with the 4GB fix and then ran "NetworkAddonMod_Setup_Version48," which is a JAR file. So, I should be safe, correct?

[scses956 0]

I just downloaded NAM 48 on the SC4Evermore site (Nov 30).  I put the individual files through Virus Total and the 4gb_patch file according to Virus Total says: Trojan.Kryptik@AI.94

I read that the Evermore version shouldn't be affected, does this mean that it is affected now or is the virus scanner being too sensitive?

[Ulisse Wolf 4,412]

1 hour ago, scses956 said:

I just downloaded NAM 48 on the SC4Evermore site (Nov 30).  I put the individual files through Virus Total and the 4gb_patch file according to Virus Total says: Trojan.Kryptik@AI.94

I read that the Evermore version shouldn't be affected, does this mean that it is affected now or is the virus scanner being too sensitive?

False positive. Rising flags any exe as possible threats

[memo 1,444]

10 hours ago, scses956 said:

I just downloaded NAM 48 on the SC4Evermore site (Nov 30).  I put the individual files through Virus Total and the 4gb_patch file according to Virus Total says: Trojan.Kryptik@AI.94

I read that the Evermore version shouldn't be affected, does this mean that it is affected now or is the virus scanner being too sensitive?

The 4gb_patch.exe is the exact same file that can be downloaded from the developer's website (archive including checksums). This can be verified by computing a hash value, for example:

SHA1 = a9cf666e845cd8448259aa50bb4f5b559ca9c053  4gb_patch.exe

The file hasn't been modified since at least 2011.

[Propfam 2,288]

19 hours ago, Sniffeh said:

The last version I installed was "NetworkAddonMod_Setup_Version48.1." I patched the exe with the 4GB fix and then ran "NetworkAddonMod_Setup_Version48," which is a JAR file. So, I should be safe, correct?

If you just run it from a zip file and only run the jar (and exe in your context) like I do, it should be safe. I tried this way in my bro's laptop and after scanning with Windows Defender offline scan, it says the PC is clean. The problem is if you're running the .bat file (dunno about the sh, it should be fine too, if you're on Linux/Mac ofc). Tho I think there's a huge possibility that the jar can be infected (cough log4j and Fractureiser), but fortunately in this case, it's fine, as far as we know.

Btw, should we report this incident to security YouTubers like Eric Parker or PC Security Channel?

[rsc204 21,808]

18 hours ago, vetram said:

Unfortunately , if i remember well i belong in the second case... Using Windows Defender in Windows 10 i received the exactly same message as @mindaugas  mentioned above..Status:Quarantined....  i looked for a way to delete it , but it seems i couldnt !... finally i used Norton 360 Standard edition  and i had better luck with it as delete it finally ! ..

A quarantined file is not allowed to run on your system, Defender will ultimately delete the file automatically. I think there is a way to force this, either way seems like Norton took care of it. The problem here is did your AV software stop the Malware from running?, since we can't say for certain, it's safest to assume it did not.

But your basic problem is that on both machines you can not be certain the Trojan has not been ran, ergo simply deleting the files may not be sufficient. Until we have very specific data that shows exactly what the malicious code actually does, the safe solution is to assume the worst. Of course it may turn out later that this was not necessary, but right now we just don't know and the question you have to ask yourself is are you willing to take the risk? Likewise password changes for ideally all your accounts, but at the very least anything financial related and Windows itself is the best practice in this scenario.

21 hours ago, Sniffeh said:

The last version I installed was "NetworkAddonMod_Setup_Version48.1." I patched the exe with the 4GB fix and then ran "NetworkAddonMod_Setup_Version48," which is a JAR file. So, I should be safe, correct?

Provided you never ran either the .BAT or .CPL file and can be certain of that, simply deleting the files is sufficient.

1 hour ago, Jidan said:

ITho I think there's a huge possibility that the jar can be infected (cough log4j and Fractureiser), but fortunately in this case, it's fine, as far as we know.

It is possible to release modified versions of literally any file, but we know for certain, because you can compare the File Hashes, that this was not done as part of this incident.

[Sniffeh 121]

8 hours ago, Jidan said:

If you just run it from a zip file and only run the jar (and exe in your context) like I do, it should be safe. I tried this way in my bro's laptop and after scanning with Windows Defender offline scan, it says the PC is clean. The problem is if you're running the .bat file (dunno about the sh, it should be fine too, if you're on Linux/Mac ofc). Tho I think there's a huge possibility that the jar can be infected (cough log4j and Fractureiser), but fortunately in this case, it's fine, as far as we know.

Btw, should we report this incident to security YouTubers like Eric Parker or PC Security Channel?

I always extract it into a folder before using it. I didn’t think much of it because I’ve been relying on NAM since version 40, and I’ve never had any problems with files from them. However, I just ran adwcleaner and Malwarebytes, and they both found a PUP on my computer. Btw, Malwarebytes says there is Malware in SC4mapper. 

[sonofsim 6]

terrifying hope the people responsible are held accountable

[Wiimeiser 444]

What's going to happen with the ModDB page in the future? There might be people who only downloaded from there.

6 hours ago, sonofsim said:

terrifying hope the people responsible are held accountable

If you mean the hackers, good luck with that; unless it involves piracy or state secrets the authorities likely won't bother.

 

11 hours ago, Sniffeh said:

Btw, Malwarebytes says there is Malware in SC4mapper. 

Probably because it's an obscure application with the ability to create and delete files in Documents subfolders.