Malware in certain Mods – What we know
Introduction
Currently there are some mods circulating that contain malware within the script file (.ts4script). An .exe file is run without the user’s knowledge if you run the game with one of these mods installed. Once this happens a large amount of data from your internet browser (Chrome, Edge, Opera, Firefox and more all affected), Discord, Steam, Telegram, and certain crypto wallets is being stolen.
The mods come from popular upload sites (MTS, TSR, Curseforge, Loverslab) and have either been uploaded through accounts that are very similar to those of known modders or through hacked accounts.
The FAQ below will help you determine if you are affected and what to do
FAQ
The following list is not conclusive. These are the mods we know are currently affected. It’s likely that there are more.
All these mods have been taken down from the respective sites and additional security measurements are being put in place.
The TSR uploads have been replaced with the original, non-harmful mods. MTS, CurseForge and Loverslab have removed the mods and suspended the accounts.
- “Cult Mod v2” uploaded to ModTheSims by PimpMySims (impostor account)
- “Social Events – Unlimited Time” uploaded to CurseForge by MySims4 (single-use account)
- “Weather and Forecast Cheat Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
- “Seasons Cheats Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
- “Motherlode Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
- “Mood Cheat Menu” uploaded to The Sims Resource by MSQSIMS (hacked, real account)
- “Mouth Preset N16” uploaded to The Sims Resource by PlayersWonderland (hacked, real account)
- “Cult Sex Mod V1” from LoversLab
As far as we know, they have been around since the middle of January 2024.
Only windows-based systems are affected because the malicious file is an .exe file that targets a windows folder. Mac and Linux are safe.
Windows installs on those operating systems will be affected but it’s unlikely that the host OS is also compromised.
It’s best to install TwistedMexi’s ModGuard anyways so you are informed if you have the mod on your system. Delete it immediately even if you aren’t directly affected.
Follow these steps to find out if the malware is installed on your computer
- Open the run box by pressing + R
- Enter
%AppData%/Microsoft/Internet Explorer/UserData
in the text prompt - Click OK
- This will open the folder used by the malware
- You are affected if you have either
Updater.exe
or main.exe in that folder.
It’s currently unclear if the malware is able to hide by deleting these files after use.
Please follow these steps in this order if you are affected
- Clean your system
- If you have either the Discord app or a crypto currency wallet on your system, uninstall that, re-download the software and reinstall it. The malware binds itself to those programs and can reinstall itself when those programs are executed.
- Change your passwords (use a different, strong password for each account)
- Add 2-factor-authentication to any account that offers it.
- Contact your bank or financial institution if you have credit card or account data saved in your browser and tell them that your cards/account may have been compromised and discuss how to proceed further.
Overwolf has created a program to clean the malware from your computer. This program also works if you have downloaded the malware outside of CurseForge.
- Download the exe file of this: SimsVirusCleaner
- Double-click on the exe file to execute.
- You will then be informed about the results.
- Also run a virus/malware check on your computer.
TwistedMexi has created a Anti-Hack Mod that recognizes potentially dangerous mods and prevents them from running. This is an essential must-have mod if you regularly download mods. It’s a script mod that you need to put in your mods folder. Only download from his patreon site or his CurseForge account.
Things you need to be aware of when downloading mods/cc
- Be wary of lists that inform about mod updates.
- Download only from safe sites
- Look closely at the user names. Are they really who the claim to be ?
- Files that end in .ts4script are NOT part of tuning mods or cc. If a mod isn’t declared as script mod, it should not contain any of these files.
- If a mod has been updated, read the update notes. Avoid the mod if there’s no info as to why it was updated, and try to find more information.
- Never ever download a whole mods folder from somewhere. This wasn’t a good idea before all this happend and now it’s downright dangerous.
- Download mods from the creator’s site and not through some third party sites.
General security tips
- Add 2-factor-authentication to any account that offers it.
- Use a different password for every account. A password manager can help manage those. This prevents the hacker from getting access to all your accounts if they hack one.
- Do not save passwords in your browser. It’s better to use a password manager.
- Do not save credit card information and account data in your browser.
- Use strong passwords.
The best help can be found in the Sims After Dark Discord.
If you don’t want to use discord, you can ask at AHQ.
Normally I would put credits in the side bar but these information and tools are work done by many parties. I want to thank the community as a whole for coming together and spreading the word and trying to keep everyone safe.
Times like these show that we all pull together although there are always drama and fights going on.
I do want to thank these people especially
- The modders/helpers at SimsAfterDark: For just everything.
- anadius for decompiling the files and finding out what the malware does.
- Overwolf for creating a cleaner too.
- TwistedMexi for creating a malware guard.