Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Sonic Gather Battle

From Malware Wiki
Jump to: navigation, search

Notresponsiblesymbol.pngThis page contains either a download link to the malware or is a malicious website that is still active. Malware Wiki shall bear NO responsibility for any damage that you may cause to your machine by running the download or going to the site.

Sonic Gather Battle
sonic gather battle drm effects.png
TypeTrojan
CreatorLeemena Dan
Date2009
OriginTaiwan
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)*SONICvsLF2
  • SGB
MD5ca221b0fe03c1f0a756aaadd55e1cc43
SHA-1eab2f40b927ec6b39e9b7e4eae7e9eda17732e0c
SHA-256e965eb4458f4ca18270a3aa59a9aebc2847f6b065556d21a9bdb9fea07f12d45
SSDEEP3145728:vFyhINvfiE4dQw4zhQSGYBuzqVNF1OFZhckc8fHK2duv5B0oi9s4hQWzwwM+rzTW:T4yPQSGY8zqVn4FZvS2MxMs4+MbRSAA
Authentihashe57cc3da547f752e4ef89181fe0ca3fc10f3264b81950430a04419f8442d6fad
IMPhash027ea80e8125c6dda271246922d4c3b0
This box: view  talk  edit

Sonic Gather Battle is a Sonic The Hedgehog fan game on Microsoft Windows made by Leemena-dan that contains a trojan. Not all of its effects are currently known, but it contains DRM that performs malicious actions to afflicted computers and makes the game itself unplayable. The game's creator apparently put the malicious code into the game to prevent people from ripping sprites from it, despite his attempts, these sprites were ripped and sent to the internet.

A 2014 version of the game was stated to have no malicious content. However, the game still needed administrative privileges to run. However, it only creates a UCF-10 log file in the driver folder.

The game itself is a fighting game, running off the Little Fighter 2 engine. It originally existed under the name SONICvsLF2, and had no malicious effects at this point in time. SONICvsLF2 in its original state was canceled after sprites were ripped from it, but it was later revived under the name Sonic Gather Battle. The game was discovered to have malicious effects in December 2017, though it may have had this behavior all the way back in 2016 without it being discovered.

Payload

The game requires administrative permissions to run, which is unusual for a fan-made game. These permissions are apparently required to fix a crash at the game's loading screen, though many still find this suspicious due to the game's other behaviors. If not on the internet, it will not run (According to a youtube commenter's own experience, and it seems to be true because of the following procedure).

When installed, the game will secretly open whatsmyip.org to then send the IP to a server that the game is connected to, which the creator can use to remotely disable the game. It also checks your google history, and also, the game will create a file called "b.dll", read it, and then immediately delete it, though the game's creator claims that this does not happen. It also edits the computer's registry and some small files, which the game's creator claims is "not completely done by the game" and at least partially is Windows automatically storing information. The game also apparently has an API call for raw hard disk access, which is currently believed to be used to detect if things such as hex editors or cheat engines are installed on the computer. The developer claims that the game doesn't scan installed files or registry keys. This information. However, hasn't been confirmed to be true or false.

When played without the DRM being activated, the game acts fairly normal, except, of course, for the fact that it tracks browser data and has edited the computer's files. The game's DRM can be activated by running a cheat engine or having one installed, typing the game's name followed by "cheat", "hack", or "mod" into a search engine, editing its files, or possibly just from a bug. This is done by checking the names of windows, and it will automatically close any window that happens to contain keywords such as "cheat" or "hack". The creator has apparently updated the game to close the game itself rather than the browser, though the reading of other window titles is still considered intrusive.

There are two effects that the DRM can have on the game itself. The first turns the game's background blue, the tiles black, plays Fakery Way, and adds near-invincible red Hyudoros, effectively making the game unplayable. The second, which is triggered by trying to uninstall the game with the red ghost "protection" already activated, opening the cheat engine, and a few other methods, change the game's background color palette to be a mix of red and black, makes eyes appear on the screen, applies a red grit effect to the screen, disables the ability to pause the game, and changes the music to the Sonic CD boss theme (US version), with the invincible ghost enemies still appearing, but with a different appearance and in larger numbers. If the game is uninstalled and reinstalled at this point, these effects will continue to happen due to the game checking the server. The effects can apparently be deactivated by contacting the game's creator for him to whitelist the computer himself via the server the game is connected to. The creator will only whitelist the computer once the user proves they are innocent and not trying to hack the game.

The game is no longer playable normally or installable, as the developer has made it no longer available to download, as well as manually disabled the game for everyone who had it installed. However, it was said that the game has been reactivated after an update on December 14. The game itself does not run on many virtual machines/emulators, although it is not proven if it is incompatible with all virtual machines. A re-uploaded version of the game was uploaded by an unknown person: [1]

Media

References

es:Sonic Gather Battle