Discord malware

Image

Moderators: Admiral of the Fleet, Vice Admiral

User avatar
Ztranier
Posts: 822
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:

Re: Discord malware

Post by Ztranier » Sat Oct 26, 2019 12:30 pm

they got me also
can´t even uninstall Disord
"If in doubt, ....flat out" Collin McRae

User avatar
0v3rz34l0u5
Posts: 709
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Potential Discord Malware fix

Post by 0v3rz34l0u5 » Sat Oct 26, 2019 8:05 pm

I've written a script that may fix the issue with Discord (I've not been infected so I can't say).

Download both files from https://1drv.ms/u/s!Altmhqse1obagQWFIlR ... J?e=Q8afm0 onto your Desktop. Simply run "Open PowerShell_ISE.bat" (as an administrator) and the press the green arrow to "play".

In short, the batch file opens the PowerShell script and then it deletes the index.js file from %AppData%\discord\ver\modules\discord_modules and then re-creates it with the correct code "module.exports = require('./discord_modules.node');"

For those who are interested, the contents of the files are

Open PowerShell_ISE.bat

Code: Select all

for /f "tokens=2*" %%a in ('REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop' ) do set "desktopPath=%%~b"
set filePath="%desktopPath%\DiscordMalwareFix.ps1"
PowerShell_Ise -file %filePath%
DiscordMalwareFix.ps1

Code: Select all

$error.clear()
try {
#Creates temporary PowerShell access to HKCR - deleted at end of script
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
#Gets the value of (default) in HKCR:\Discord\DefaultIcon\
$discordRegVal = (Get-ItemProperty -path 'HKCR:\Discord\DefaultIcon\').'(default)'
#Gets app-versionnumber from discordRegVal 
$regAppVerVal = $discordRegVal.split("\")[6]
#Removes "app- from regAppVerVal
$appVer = $regAppVerVal.replace("app-","")
#Dynamic variable so that index.js can be deleted from the user's AppData
$fileName = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules\index.js"
#Deletes index.jx
Remove-Item $fileName
#Dynamic variable so that index.txt can be created
$filePath = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules"
$tempFileName = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules\index.txt"
#Populates index.txt with safe data"
New-Item -Path $filePath -Name "index.txt" -ItemType "file" -Value "module.exports = require('./discord_modules.node');"
Rename-Item $tempFileName $fileName
#Deletes PowerShell access from HKCR
Remove-PSDrive -Name HKCR
}
catch { 
  $_
}
if (!$error.length -gt 0) {
$messageBoxTitle = “Success!”
$messageBoxBody = "The file "
$messageBoxBody2 = " has been re-created!"
$newLine = "`r`n"
$question = “Open a browser for further information?”
$messageBoxBodyFull1 = $messageBoxBody + $newLine + $fileName + $messageBoxBody2 + $newLine
$MessageBoxResult = [System.Windows.MessageBox]::Show($messageBoxBodyFull1,$messageBoxTitle,[System.Windows.MessageBoxButton]::OK,[System.Windows.MessageBoxImage]::Question)
    if ($MessageBoxResult -eq "Yes") {
    Start-Process "https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/"
}}
else {
$errorMessage = $error[0].Exception.GetType().FullName
$messageBoxBodyFull = ""
$messageBoxTitle = “Error”
$question = “Open a browser for manual instructions?”
$newLine = "`r`n"
$messageBoxBodyFull2 = "Powershell Error:" + $newLine + $errorMessage + $newLine + $question
$MessageBoxResult = [System.Windows.MessageBox]::Show($messageBoxBodyFull2,$messageBoxTitle,[System.Windows.MessageBoxButton]::YesNo,[System.Windows.MessageBoxImage]::Error)
    if ($MessageBoxResult -eq "Yes") {
    Start-Process "https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/"
}
}
Last edited by 0v3rz34l0u5 on Sun Oct 27, 2019 11:11 am, edited 2 times in total.
Image

User avatar
0v3rz34l0u5
Posts: 709
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0v3rz34l0u5 » Sat Oct 26, 2019 8:06 pm

Not sure if this little script I've written will help @Ztranier. Let me know if it does :)
Image

User avatar
Ztranier
Posts: 822
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:

Re: Potential Discord Malware fix

Post by Ztranier » Sat Oct 26, 2019 8:58 pm

Thx Sel
"If in doubt, ....flat out" Collin McRae

User avatar
Ztranier
Posts: 822
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:

Re: Discord malware

Post by Ztranier » Sat Oct 26, 2019 8:59 pm

going to give it a try tomorrow Zel
"If in doubt, ....flat out" Collin McRae

User avatar
Projectblue
Posts: 252
Joined: Thu Oct 25, 2018 7:57 pm

Re: Discord malware

Post by Projectblue » Sat Oct 26, 2019 10:28 pm

Thanks for doing that Zel, I've merged your thread here to keep it tidy.
"The day may dawn when fair play, love for one’s fellow-men, respect for justice and freedom, will enable tormented generations to march forth serene and triumphant from the hideous epoch in which we have to dwell. Meanwhile, never flinch, never weary, never despair."

User avatar
Ztranier
Posts: 822
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:

Re: Discord malware

Post by Ztranier » Sun Oct 27, 2019 9:15 am

No @Zel i can´t open that file in my OneDrive
and it appears that i can´t play naither Sandstorm nor Squad because of the discord plugin
"If in doubt, ....flat out" Collin McRae

User avatar
0v3rz34l0u5
Posts: 709
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0v3rz34l0u5 » Sun Oct 27, 2019 10:04 am

Can you download them and put them on your Desktop?

Thank you @Projectblue :)
Image

User avatar
0v3rz34l0u5
Posts: 709
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0v3rz34l0u5 » Sun Oct 27, 2019 10:09 am

Probably should have shared it 🤦🏻‍♂️. Sorry Z! Correct link is https://1drv.ms/u/s!Altmhqse1obagQWFIlR ... J?e=Q8afm0

I’ve updated the link above also.
Image

User avatar
Ztranier
Posts: 822
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:

Re: Discord malware

Post by Ztranier » Sun Oct 27, 2019 11:38 am

It doesn´t work for me
i cecive a message which say that C:\\Windows\.................\DiscordMalwareFix.ps1 cannot be opend, a part of the path cannot be found

Maybe because i manually tried to dele Discord
"If in doubt, ....flat out" Collin McRae

Post Reply