Mods are dime a dozen on PC games, and with Grand Theft Auto V, it should come as no surprise that there are mods being developed for the title. Even as it lacks official modding support from Rockstar Games, hobbyist game developers–modders–have lent their talents to create some very interesting mods.
One such mod is the Angry Planes mod, which we wrote about just a few days ago. In the mod, other planes fly at you, attempting to kamikaze directly into you. If they're armed with weaponry, they'll even fire those at you.
Unfortunately for anyone who downloaded the mod, users are reporting that their computers have been infected by a keylogger. Designed as a trojan horse to get you to install it, the virus is one that hijacks computers its installed on, potentially logging and stealing your passwords and all sorts of other nasty things. The Angry Planes mod and the Noclip mod have been reported to carry a trojan horse.
One user, aboutseven, posted his findings on the fansite GTAForums.
He wrote:
So sure enough, I'm freaking out at this point. The Fade.exe had hijacked an official system file, the C# Compiler, and was accessing the internet while keeping what seems to be logs of my system in the hidden temp directory. I then did a Malwarebytes scan and it reported that Fade.exe had also hijacked a part of the registry to force this program to start up on windows logon, as can be seen here:
Also, two other files were created in the temp directory with the names .z and init..exe which can be seen here:
I did more research on this Fade.exe program, but couldn't find anything except for this single instance here which seems to fit the description perfectly: http://vms.drweb-av….irus/?i=4337630
For some reason, directly scanning the file with Malwarebytes reports that it is not malware, and only 3 out of 56 virus scanners found Fade.exe to be malicious: https://www.virustot…a9336/analysis/
Now where does GTA V modding come into this? Well, I compared the date of when the Fade.exe instance was created to whatever I had in my download folder. I don't go around downloading random programs from non-trusted sources, so I couldn't believe that I had gotten a virus from a program. Well sure enough, I noticed all the mods that I had downloaded for GTA V had matched the date when this folder was created. I decided to experiment. I first deleted all instances of the Fade.exe folder, the files in the temp folder, and the registry hijack. I then ran GTA V with the mods installed. Fade.exe had returned after the game had loaded up (not to the menu screen, to the game itself), along with everything else. Again I removed the Fade.exe and all the other stuff, and I then removed all mods but ScriptHook V and its Native Trainer and relaunched the game. The first thing I noticed is that GTA V started up fullscreen when I did this, when it started windowed with the mods installed. Also, with the mods installed, I always noticed a flashing window right before the game finished loading which was gone after removing the mods. After starting up GTA V without the mods and only ScriptHook V, there was no Fade.exe or any other files.
If you've downloaded and installed either the noclip or Angry Planes mod, uninstall them immediately and run an antivirus program to disinfect your computer–regardless of whether the files are confirmed to contain a virus. We'll be updating this post with further details, but until then, steer clear of GTA V mods for now–at least until they're cleared by the community.
