TF2 Multihack by fr33l4nc3r

razerhazer · #1 02-01-2009, 01:59 PM

[Team Fortress 2 Multihack 100 % VAC-Proof]

Features:

- Wallhack
- Speedhack

Installation:

Start the .exe, the Run Team Fortress 2.

DEL - Activate Hack Menue
END - Activate / Disable Hack

chi3fr4 · #2 03-02-2009, 12:34 PM

no virus scans

CampStaff · #3 03-11-2009, 02:35 AM

Funny how noobs want to display their trojans, and cover it up as a "cheat". We have another one here.
Now this one is a bit personal, due to it being my sites TF2 cheat he's using to get people.

Lets Download it and see whats inside.:

First of all, when its downloaded, it comes up on my computer as a trojan. And not any false positive, or general trojan

Code:

TR/PSW.Steathie.B

Thats enough for me to see that this is a fake, also, it seems he is using Kalvins VDC: Darkstorm as a cover, so it appears as if its a real cheat. But its not.

The file structure inside shows that the settings.ini file is from our original release date, but the exe date is most recent ( a few days ago ).

Well, lets have fun and Reverse and Hex his program:

Code:

<Module> TF2.Hack.by.fr33l4nc3r.exe Program Stealer SteamErrorCode SteamDecryptDataForThisMachine mscorlib System [..] email ftp encryptFile deleteExe MessageBox

Well, on our initial inquiry into the 'cheat', we find first off the bat, what this really is. Program Stealer. Bad.. and it gets your Steam data. Then..

Quote:

R e p e a t
d e l
i f e x i s t + g o t o R e p e a t
r m d i r
d e l d e l . b a t \ d e l . b a t w i r e s h a r k )S o f t w a r e \ V a l v e \ S t e a m S t e a m P a t h / \ \ S t e a m . d l l =S t e a m D e c r y p t D a t a F o r T h i s M a c h i n e 1\ c o n f i g \ S t e a m A p p D a t a . v d f U s e r )\ C l i e n t R e g i s t r y . b l o b
P h r a s e {P o s s i b l e U s e r n a m e s :
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

€«
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
G e s p e i c h e r t e P a s s w o e r t e r :
w
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
. l o g Mf t p : / / f t p . r a z e r r e c k l e s s . r a . f u n p i c . d e / / S T O R r a z e r r e c k l e s s l a l a l a n d AU p l o a d F i l e C o m p l e t e , s t a t u s { 0 }

Lets take this one thing at a time. First, it wants to remove wireshark, a well known packet sniffer. Then as you see, it trys to locate your Steam install, and then tries to decrypt your username/password information.
Then it takes that information, and uploads the log to his FTP address. Razerreckless gives us his his pass and user info, so why don't we go and attempt to hack his FTP back, in order to get our Steam accounts he stole?

Lets take time and upload this to another professional Sandbox, ThreatExpert::

Trojan-GameThief.MSIL

http://www.threatexpert.com/threats/...hief-msil.html : gives us valuable information about the generic properties of this trojan, and where it goes.

Code:

Trojan-GameThief.MSIL [Ikarus] is known to be created as:
%System%\ylwokis09.exe
c:\aaaaaa.exe

Ok, Lets get to the part where we fix our own computers from the damage he did:

We will have to remove those created files it left behind. After such, use Hijackthis to find anything else it may have left. Then clean your system using a good AV, such as Nod32, or Bitdefender.

Make sure you have gone ahead and changed your passwords, on another uninfected computer.

new_hax_player · #4 03-11-2009, 05:42 AM

dang camp Nice work!!!

Lordilson · #5 03-15-2009, 06:19 AM

Thanks CampStaff, always warning the newbies about newbie attempts of infecting our computers with viruses and all that nasty stuff.