Malicous Script Mods and Malware

by luthienrising
Reply

Original Post

Malicous Script Mods and Malware

[ Edited ]

NOTE: This early 2024 episode is no longer current, but this thread is left here for reference.

 


 

Beginning as early as mid-January 2024, we began seeing Sims 4 script mods with malicious executable .exe code hidden in them. 

 

The mods masqueraded as being from existing creators or from a brand-new creator with a name similar to an existing one. In one known case, it appears that a creator’s account was hacked to update the creator’s own mod page. These mods also presented themselves as being previously existing mods. (Mac users: Because this is .exe code, it won’t affect you, but may produce LEs.)

 

 

Mods known to have been compromised

 

If you have these mods, remove them:

  • "PimpMySims4" (impersonated) – Cult Mod – was on Mod the Sims 
  • MySims4 – "Social Events - Unlimited Time" – was on Curseforge
  • MSQSims (hacked) – on The Sims Resource, Feb. 5-8
    • Mood Cheat Menu
    • Motherlode Menu
    • Seasons Cheat Menu
    • Weather Forecast Cheat Menu
  • PlayersWonderland (hacked) – Mouth Preset N16 ts4script file – on The Sims Resource, removed Feb. 8
  • V1 of an adult mod, with a January file date – on LoversLab

NOTE: There may well be other compromised script mods out there. As they are found, they will be added to this list.

UPDATE: No other were found as of July 2024

 

 

 

How to check your system

 

To see if your system has been affected by the malicious code:

  1. select Windows-R
  2. In the window that opens, type this:

%AppData%\Microsoft\Internet Explorer\UserData

 

  1. In the folder that opens, look for files called Updater.exe and/or Main.exe.

 

 

If you are affected

 

If you had one of these files, assume that any sensitive data on your PC may be compromised and take the steps below:

  1. Clear your system for this specific virus. (See below.) This must be done FIRST.
  2. If you have the Discord app or a cryptocurrency wallet app, uninstall them. This is important if not obvious: Starting these can trigger an attempt to reinstall this malware.
  3. Change your passwords.
  4. Add two-factor authentication where available.
  5. If you had saved credit card or similar information to a web browser, remove it and find out from your financial institution (or other relevant site) what action to take next.
  6. Reinstall Discord and cryptocurrency wallet apps from fresh downloads.
  7. Learn more about keeping your data secure in the future: https://answers.ea.com/t5/EA-Services-General-Questions/Answers-HQ-Online-Security-Newsletter-Januar...

 

To clear your system:

  1. Download this fix created by Maxis mod-host partner Curseforge: SimsVirusCleaner
  2. Double-click the SimsVirusCleaner.exe file in your Downloads folder tor run it.
  3. This is a good time to run a general virus/malware scan on your computer.

 

 

 

More things to know

 

  • Mod “Updated” and “Cleared” news is currently delayed. When they return in full, there may be additional suggested steps.
  • Curseforge and The Sims Resource have updated their file screening for this method of malware inclusion.
  • Safest mods during this episode: The least likely mods to be affected by this are mods that are only .package files and mods uploaded by mod creators on Patreon or their own sites.
  • ts4script files: Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file. Those are needed by mods that affect gameplay. If you’re downloading CC, look for ts4script files. Do not put them in your Mods folder. Report the CC that included it.
  • downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.
  • New prevention/detection Sims 4 tool: TwistedMexi has released a tool called ModGuard.

 

 

 

 

NEW: Other Malware in "Mods"

 

[April 7, 2024] Malware via a mod that is downloaded as only a text file with a link.

 

Known cases:

  • "S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)
  • “Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)

Do NOT follow the links in the text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).  

 

If you downloaded either of these, delete them NOW and run a virus scan. NOTE: This malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.

 

 

 

 

[updated July 23, 2024]

 

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 1 of 10 (34,729 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

[ Edited ]

NOTE: Updated February 8 to add recovery steps re. Discord and cryptocurrency wallets.

 

 

Further important updates will have added notes here so people subscribing to this post are messaged about them.

 

 

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 2 of 10 (34,327 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

[ Edited ]

February 9 updates

 

 

New Compromised Files

 

The Sims Resource, which will now be implementing new test measures, has checked all ts4script files uploaded in 2024 and identified three more compromised mods from hacked accounts:

 

  • MSQSims – Mood Cheat Menu – downloaded Feb. 5-8
  • MSQSims – Motherlode Menu – downloaded Feb. 5-8
  • PlayersWonderland – Mouth Preset N16 – ts4script file

Also identified:

 

  • V1 of an adult mod, with a January file date – uploaded at LoversLab


 

New Important Notes

 

  • ts4script files: Most Sims 4 mods are not script mods and aren’t doing anything requiring a ts4script file. Those are needed by mods that affect gameplay. If you’re downloading CC, look for ts4script files. Do not put them in your Mods folder. Report the CC that included it.
  • downloaded folders: Assume that any folder containing a collection of mods might include a compromised mod containing code that can steal your passwords, your banking info, and much more. Do NOT download and install these collections. If you have done so at any time since mid-January, check your system.

 

New Tool

 

  • TwistedMexi – ModGuard: Mod Malware Protectiondownload sources: Patreon (now), Curseforge (soon); NOTE: This tool has specific installation instructions. Follow them.
    • CURRENT VERSION: 1.5 - ts4script file date: 28 Feb. 2024, on Patreon, linked from TwistedMexi's website; not yet updated on Curseforge

This tool goes in your Mods folder and will do the following:

  • Detect and block common virus vectors  
  • Find the mod doing it
  • Notify you of the compromised mod
  • Notify TwistedMexi’s team of the compromised mod

TwistedMexi’s team can then inform others, and we can get the word out to everyone.

 

NOTE: Every tool like this has workarounds that a bad actor will find. This tool is NOT a replacement for using caution and skepticism when you download mods. It also does NOT provide broader protection; it is specific to Sims 4 mods.

 

 

[updated Feb. 28 for ModGuard v1.5]


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 3 of 10 (32,094 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

[ Edited ]

Feb. 10

 

 

UPDATED

  • TwistedMexi – ModGuard – critical update 1.1, Patreon, ts4script file dated 10 Feb. 2024 – additional virus vectors and other improvements – reminder: follow the installation instructions
    • QUICK UPDATE TO THAT: 1.1 is crashing on Macs, but it's less urgent for you.

 

 

Other Notes

MSQSims reports on her social media that Mood Cheat Menu and Motherlode Cheat Menu were taken down as extra precautions by The Sims Resource, not because they were compromised like the other two Cheat Menus (the ones she had cleared for patch 1.1040).  

IMPORTANT: I am NOT yet clearing these for the purpose of the compromised-mod list on p. 1.

 

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 4 of 10 (28,794 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

[ Edited ]

Feb. 11

 

 

UPDATED

  • TwistedMexi – ModGuard – v1.2, Patreon (not yet available on Curseforge), ts4script file dated 11 Feb. 2024 – Mac compatibility, additional virus vectors and other improvements – reminder: follow the installation instructions
  • ADDED NOTE:With 1.2, an "inconclusive" report is a false positive and not an indication of a compromised file

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 5 of 10 (26,475 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

Feb. 12

 

Updated

  • TwistedMexi – ModGuard – v1.3, Patreon (not yet available on Curseforge), ts4script file dated 12 Feb. 2024 – "inconclusive" fixed

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 6 of 10 (26,188 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

Feb. 12

 

Updated

  • TwistedMexi – ModGuard – v1.4, Patreon (not yet available on Curseforge), ts4script file dated 12 Feb. 2024 – for fewer false positives

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 7 of 10 (25,691 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

Feb. 28

 

Updated

  • TwistedMexi – ModGuard – v1.5, Patreon (not yet available on Curseforge), ts4script file dated 28 Feb. 2024 – for better patch compatibility

Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 8 of 10 (20,192 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

[ Edited ]

Apr. 7: NEW THREAT

 

 

NEW: Malware via a mod that is downloaded as only a text file that contains a link.

 

Known cases:

  • "S4 CAS Tools" on Nexus from user fubruss (the real mod is on Mod the Sims, from the late CmarNYC, dated 18 March 2023)
  • “Loading Screen Randomizer” on Nexus from user fubruss (the real mod is on Mod the Sims, from Tesuto , dated 9 January 2024)

Do NOT follow the links in the text files. Do NOT download other files or follow links from this user. No legitimate mod download will EVER consist of only a text file (a file ending in .txt).

 

If you downloaded either of these, delete them NOW and run a virus scan. NOTE: This malware does NOT require that you run the game for it to install itself, and is not what ModGuard is designed to detect and stop.

 

 

 

 


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 9 of 10 (14,940 Views)

Re: [CURRENT ISSUE] Malicous Script Mods

July 24: Updated the main post to reflect that this isn't a current issue but could still be useful info later.


Sul sul!
I don't work for EA, and I don't do private support.
I do receive products from EA as part of the EA Creator Network.
Have you backed up your Saves? Checked for broken and updated mods/CC?
Message 10 of 10 (5,263 Views)
sims-all-characters

Want more Sims?

Check out our Sims forums for tutorials and all things Sims.

View more

ts4-promo

Having trouble connecting to your game?

Try these steps first to clear up any problems you may have when connecting to an EA game.

Troubleshoot and test your connection

ts4-promo

Forget your EA Account ID or password?

Reset, update, or link your account information.

View More on EA Help