Discord malware

Image

Moderators: Admiral of the Fleet, Vice Admiral

User avatar
Ztranier
Posts: 1248
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:
=EBS= Ztranier’s avatar
Loading…

Re: Discord malware

Post by Ztranier » Sat Oct 26, 2019 12:30 pm

they got me also
can´t even uninstall Disord
"If in doubt, ....flat out" Collin McRae

User avatar
0verzeal0us
Posts: 1267
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Potential Discord Malware fix

Post by 0verzeal0us » Sat Oct 26, 2019 8:05 pm

I've written a script that may fix the issue with Discord (I've not been infected so I can't say).

Download both files from https://1drv.ms/u/s!Altmhqse1obagQWFIlR ... J?e=Q8afm0 onto your Desktop. Simply run "Open PowerShell_ISE.bat" (as an administrator) and the press the green arrow to "play".

In short, the batch file opens the PowerShell script and then it deletes the index.js file from %AppData%\discord\ver\modules\discord_modules and then re-creates it with the correct code "module.exports = require('./discord_modules.node');"

For those who are interested, the contents of the files are

Open PowerShell_ISE.bat

Code: Select all

for /f "tokens=2*" %%a in ('REG QUERY "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v Desktop' ) do set "desktopPath=%%~b"
set filePath="%desktopPath%\DiscordMalwareFix.ps1"
PowerShell_Ise -file %filePath%
DiscordMalwareFix.ps1

Code: Select all

$error.clear()
try {
#Creates temporary PowerShell access to HKCR - deleted at end of script
New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT
#Gets the value of (default) in HKCR:\Discord\DefaultIcon\
$discordRegVal = (Get-ItemProperty -path 'HKCR:\Discord\DefaultIcon\').'(default)'
#Gets app-versionnumber from discordRegVal 
$regAppVerVal = $discordRegVal.split("\")[6]
#Removes "app- from regAppVerVal
$appVer = $regAppVerVal.replace("app-","")
#Dynamic variable so that index.js can be deleted from the user's AppData
$fileName = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules\index.js"
#Deletes index.jx
Remove-Item $fileName
#Dynamic variable so that index.txt can be created
$filePath = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules"
$tempFileName = "c:\users\" + $env:UserName + "\AppData\Roaming\discord\" + $appVer + "\modules\discord_modules\index.txt"
#Populates index.txt with safe data"
New-Item -Path $filePath -Name "index.txt" -ItemType "file" -Value "module.exports = require('./discord_modules.node');"
Rename-Item $tempFileName $fileName
#Deletes PowerShell access from HKCR
Remove-PSDrive -Name HKCR
}
catch { 
  $_
}
if (!$error.length -gt 0) {
$messageBoxTitle = “Success!”
$messageBoxBody = "The file "
$messageBoxBody2 = " has been re-created!"
$newLine = "`r`n"
$question = “Open a browser for further information?”
$messageBoxBodyFull1 = $messageBoxBody + $newLine + $fileName + $messageBoxBody2 + $newLine
$MessageBoxResult = [System.Windows.MessageBox]::Show($messageBoxBodyFull1,$messageBoxTitle,[System.Windows.MessageBoxButton]::OK,[System.Windows.MessageBoxImage]::Question)
    if ($MessageBoxResult -eq "Yes") {
    Start-Process "https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/"
}}
else {
$errorMessage = $error[0].Exception.GetType().FullName
$messageBoxBodyFull = ""
$messageBoxTitle = “Error”
$question = “Open a browser for manual instructions?”
$newLine = "`r`n"
$messageBoxBodyFull2 = "Powershell Error:" + $newLine + $errorMessage + $newLine + $question
$MessageBoxResult = [System.Windows.MessageBox]::Show($messageBoxBodyFull2,$messageBoxTitle,[System.Windows.MessageBoxButton]::YesNo,[System.Windows.MessageBoxImage]::Error)
    if ($MessageBoxResult -eq "Yes") {
    Start-Process "https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/"
}
}
Last edited by 0verzeal0us on Sun Oct 27, 2019 11:11 am, edited 2 times in total.
Image

User avatar
0verzeal0us
Posts: 1267
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0verzeal0us » Sat Oct 26, 2019 8:06 pm

Not sure if this little script I've written will help @Ztranier. Let me know if it does :)
Image

User avatar
Ztranier
Posts: 1248
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:
=EBS= Ztranier’s avatar
Loading…

Re: Potential Discord Malware fix

Post by Ztranier » Sat Oct 26, 2019 8:58 pm

Thx Sel
"If in doubt, ....flat out" Collin McRae

User avatar
Ztranier
Posts: 1248
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:
=EBS= Ztranier’s avatar
Loading…

Re: Discord malware

Post by Ztranier » Sat Oct 26, 2019 8:59 pm

going to give it a try tomorrow Zel
"If in doubt, ....flat out" Collin McRae

User avatar
Projectblue
Posts: 378
Joined: Thu Oct 25, 2018 7:57 pm

Re: Discord malware

Post by Projectblue » Sat Oct 26, 2019 10:28 pm

Thanks for doing that Zel, I've merged your thread here to keep it tidy.
"EBS was, and is always, a respected place to play because admin's don't take any shit and we don't dance around the axe. If it needs swinging, we will do it, without question."

User avatar
Ztranier
Posts: 1248
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:
=EBS= Ztranier’s avatar
Loading…

Re: Discord malware

Post by Ztranier » Sun Oct 27, 2019 9:15 am

No @Zel i can´t open that file in my OneDrive
and it appears that i can´t play naither Sandstorm nor Squad because of the discord plugin
"If in doubt, ....flat out" Collin McRae

User avatar
0verzeal0us
Posts: 1267
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0verzeal0us » Sun Oct 27, 2019 10:04 am

Can you download them and put them on your Desktop?

Thank you @Projectblue :)
Image

User avatar
0verzeal0us
Posts: 1267
Joined: Tue Oct 23, 2018 8:29 pm
Location: Hertfordshire
Contact:

Re: Discord malware

Post by 0verzeal0us » Sun Oct 27, 2019 10:09 am

Probably should have shared it 🤦🏻‍♂️. Sorry Z! Correct link is https://1drv.ms/u/s!Altmhqse1obagQWFIlR ... J?e=Q8afm0

I’ve updated the link above also.
Image

User avatar
Ztranier
Posts: 1248
Joined: Tue Oct 23, 2018 7:14 pm
Location: Düsseldorf/ Germoney
Contact:
=EBS= Ztranier’s avatar
Loading…

Re: Discord malware

Post by Ztranier » Sun Oct 27, 2019 11:38 am

It doesn´t work for me
i cecive a message which say that C:\\Windows\.................\DiscordMalwareFix.ps1 cannot be opend, a part of the path cannot be found

Maybe because i manually tried to dele Discord
"If in doubt, ....flat out" Collin McRae

Post Reply