Attention ALC and CRP viruses in 3Ds Max!

Updated on November 17, 2020

Attention, there is a new kind of virus spreading in the environment of 3Ds Max, which can not be detected by your antivirus software!

If your scene is infected or you want to avoid getting the virus into your 3Ds Max download and install share-ware script Prune Scene and activate the Active Protection!
Download Prune Scene
After run Active Protection mode viruses will be deleted.
In the future, if the viruses get to you in the scene they will always be deleted!

Important!

You can use Prune Scene for free to clean up viruses!

Intro


Recently, there has been a high activity of infection of scenes and models with ALC betacleaner (Worm.3DsMax.ALC.clb) and CRP bscript (Worm.3DsMax.CRP.bscript) viruses at 3D stocks, online forums and online sharing services. Typically, viruses get to you through an infected scene file (* .max) when you Open, Merge or X-Ref it.

When opening or working with an 3Ds Max software file (*.max), the scene displays some strange behaviors. Read about each virus in details below.

ALC betacleaner

alc virus helpers

This virus a 3rd-party MaxScript (hereafter called "ALC"), can accidentally corrupt 3Ds Max software's settings and be propagated to other Max files (*.max) on a Windows system if scene files containing the broken script are loaded into 3Ds Max. (The original script seems to have been included with some free 3ds Max scenes that users may have downloaded from various online sources.)

Although the MaxScript appears to have been written as a form of copy protection for a commercial plug-in, if affected 3Ds Max scene files are distributed and re-opened, they may propagate the corruption problem to other copies of 3Ds Max.

This particular MaxScript file will be embedded into a Max scene file as a scripted controller.
The script saves itself into hidden files in the:
C:/Users/Your User Name/AppData/Local/Autodesk/3dsMax/Release Number - 64bit/Lang/scripts/startup
Files:
  • vrdematcleanbeta.ms
  • vrdematcleanbeta.mse
  • vrdematcleanbeta.msex​

Note!

These files will have their System attribute properties set to Hidden, and are not normally visible in the Windows operating system's File Explorer. You may need to change the View → Folder Options to "View Hidden Files and Folders.

This virus take next issues:

  • Crashes or fails to open
  • Corrupted scene data
  • Empty helper nodes (¡¡×ý×û and ×þ×ü)
  • Unable to save the scene manually
  • Unable to use the Undo function (Ctrl+Z)
  • Displays various MaxScript errors
  • Corrupts or removes cameras, lights, and/or materials
  • Forces an auto-save after breaking the scene or when choosing "Don't Save" when closing
  • Adds itself to an existing script in the MaxScript startup directory
  • Force closes 3Ds Max
  • Unable to save V-Ray lights

CRP bscript & ADSL bscript

This virus a 3rd-party MaxScript (hereafter called "CRP"), can accidentally corrupt 3Ds Max software’s settings and be propagated to other Max files (*.max) on a Windows system if scene files containing the broken script are loaded into 3Ds Max. (The original script seems to have been included with some free 3ds Max scenes that users may have downloaded from various online sources.)

This virus also distributed as ALC betacleaner when you open the scene. Virus spoils all scripts that are in your MaxScript startup folder, adding malicious code to them.

This virus take next issues:

  • Undo function (Ctrl+Z) is broken and no longer works after switching to different viewports
  • Scene lights may disappear or be deleted
  • Scene materials may deleted
  • Damage scripts in MaxScript startup folder
  • Scene objects may deleted

ALC2 alpha

The same as ALC BETACLEANER, but creates different malicious files and global variables in 3Ds Max environment.
The script saves itself into hidden files in the:
C:/Users/Your User Name/AppData/Local/Autodesk/3dsMax/Release Number - 64bit/Lang/scripts/startup
Files:
  • vrdematcleanalpha.ms
  • vrdematcleanalpha.mse
  • vrdematcleanalpha.msex
  • vrdestermatconvertor.ms
  • vrdestermatconverter.msex
  • vrdestermatconvertar.ms
  • vrayimportinfo.mse

Otherwise, the behavior is the same as for ALC BETACLEANER

ALC3 alpha

The same as ALC BETACLEANER, but with some differences.

The most dangerous thing is that this virus can download updates for itself and can be modified!

This virus take next issues:
  • Crash 3Ds Max when open
  • Empty helper nodes
  • Unable to use the Undo function (Ctrl+Z)
  • Displays various MaxScript errors
  • Change render settings (V-Ray): VFB size, materials, GI settings etc.
  • Tiny save your render from VFB and send to remote e-mail
  • Gather system information and send to remote e-mail: IP, MAC, HDD info, Memory, CPU, 3Ds Max version etc.
  • Send gathered data from fake e-mail sss777_2000@126.com (nfkxovtedspjgedv) to rrr888_3000@126.com
  • Download from remote address and update itself from http://www.maxscript.cc/update/upscript.mse

The script saves itself into hidden files in the:
C:/Users/Your User Name/AppData/Local/Autodesk/3dsMax/Release Number - 64bit/Lang/scripts/startup
Files:
  • vrdematpropalpha.ms
  • vrdematpropalpha.mse
  • vrdematpropalpha.msex​

Desire FX CA

desire fx ca
This virus a 3rd-party MaxScript can executed when open scene or merge virus objects. Gets to your scene with downloaded models from site desirefx or mirrors.
Virus write Custom Attribute for object rootscene (this is system object and can't be deleted) and runs when scene opened or something merged.

This virus take next issues:
  • Rename all objects in scene and adds advertisement prefix in name
  • Create Text objects in scene with advertisement text
  • Can write advertisement text in File Info
  • Can freeze viewport

PhysXPluginMfx

PhysXPluginMfx (variant of ALC2, ALC, CRP and ADLS) - virus for a planned attack on large enterprises. Developed by a group of hackers for industrial espionage.
This virus ships with 3rd-party plugins from fishing sites and can corrupt 3ds Max software’s settings, run malicious code, spread to other 3Ds Max files (*.max) and send gathered personal data to C&C servers in South Korea.
This virus uses previously known bugs like ALC, ADS or CRP and creates next files:
C:/Users/Your User Name/AppData/Local/Autodesk/3dsMax/Release Number - 64bit/Lang/scripts/startup
Files:

  • PhysXPluginStl.ms
  • PhysXPluginStl.mse

This virus take next issues:
  • Create malicious files such as PhysXPluginStl.mse in the user’s startup script folder
  • The "*.mse" file appears to host a base64 encoded .NET 4.5 assembly
  • Spread to other "*.max" files
  • Send personal info to 3rd-party servers

Alienbrains (mscprop.dll)

mscprop dll
This virus a 3rd-party MaxScript (hereafter called "Alienbrains"), may corrupt a 3ds Max installation and MAX scene files and can get into the 3Ds Max from third-party online resources with stock models.
Alienbrains virus slows down the scene: loading, saving, autosaving and restarting.
Also may cause modal errors "Runtime error: FileStream cannot create..." when opening scene.
If UAC in Windows system disabled, this virus can create malware file: mscprop.dll in 3Ds Max root folder!

This virus take next issues:
  • Creates mscprop.dll at the root of 3Ds Max
  • Very long scene loading/saving/autosaving/restarting
  • Creates unwanted Custom Attributes for objects
  • Creates unwanted rootScene properties and callback functions
  • Displays various MaxScript errors (see screenshot below)
  • Unable to use the Undo function (Ctrl+Z)
  • Creates a Local_temp.ms file in "C: /Users/Your User Name/AppData/Local/Temp/"
Here example of various MaxScript error:
maxscript exception localtemp ms

The virus creates next files:
C:/Users/Your User Name/AppData/Local/Temp/Local_temp.ms
C:/Users/Your User Name/AppData/Local/Temp/Local_temp.mse
C:/Program Files/Autodesk/Release Number/mscprop.dll
C:/Program Files/Autodesk/Release Number/stdplugs/PropertyParametersLocal.mse

How to detect viruses?

For ALC betaclenaer:

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #AutodeskLicSerStuckCleanBeta)
The sequence should return the line: false. If the sequence returns: true - you are infected!

For ADSL bscript

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #ADSL_BScript)
The sequence should return the line: false. If the sequence returns: true - you are infected!

For CRP bscript

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #CRP_BScript)
The sequence should return the line: false. If the sequence returns: true - you are infected!

For ALC2 alpha

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #AutodeskLicSerStuckCleanAlpha)
The sequence should return the line: false. If the sequence returns: true - you are infected!

For PhysXPluginMfx

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #physXCrtRbkInfoCleanBeta)
The sequence should return the line: false. If the sequence returns: true - you are infected!

For ALC3 alpha

Open MaxScript Listener copy and paste next string and press the Enter:
(globalVars.isGlobal #AutodeskLicSerStuckAlpha)
The sequence should return the line: false. If the sequence returns: true - you are infected!

Desire FX CA

In scene will be renamed all objects with "desirefx" prefix:
desire fx ca

For Alienbrains

Open MaxScript Listener copy and paste next string and press the Enter:
(try(TrackViewNodes.TVProperty.PropParameterLocal.count >= 0) catch(false))
The sequence should return the line: false. If the sequence returns: true - you are infected!

There are also other modifications of viruses that only Prune Scene can handle.

How to remove viruses?

prune scene active protection
If your scene is infected or you want to avoid getting the virus into your 3Ds Max download and install share-ware script Prune Scene and activate the Active Protection!
Download Prune Scene
After run Active Protection mode viruses will be deleted.
In the future, if the viruses get to you in the scene they will always be deleted!

Important!

You can use Prune Scene for free to clean up viruses!

You also can use another scripts for fix this problems:
ALC_fixup_v1_2.ms and CRP_fixup_v1_2.ms
But I not recommend to use it because you will need to run them from time to time manually and you can miss the moment when the virus gets into another scene that's very critical for large companies where several people can work with one file. Also there are other modifications of the viruses that these scripts can not fix it!

Official Information


Here official Autodesk assertion:

https://knowledge.autodesk.com/support/3ds-max/troubleshooting/caas/sfdcarticles/sfdcarticles/Potential-issues-with-third-party-MAXScript-CRP-switching-to-different-viewport-scene-lights-disappear-or-seem-deleted.html


https://knowledge.autodesk.com/support/3ds-max/troubleshooting/caas/sfdcarticles/sfdcarticles/Scene-file-crashes-corrupts-scene-data-gives-Script-Controller-error-or-no-longer-uses-the-Undo-function.html?st=alc

Update 1

From the official source it became known that in 3Ds Max 2019 Update 2 by default has protection will be enabled and help against the ALC/CRP issue.

Here official assertion:

https://forums.autodesk.com/t5/3ds-max-forum/potential-issues-caused-by-third-party-maxscript-files-alc-and/m-p/8281431#M164173

About Security Tool in 3Ds Max 2019 Update 2:

http://help.autodesk.com/view/3DSMAX/2019/ENU/?guid=GUID-C8FEC566-7747-4C35-A7DE-6B8233C9ACB0

Also confirmed information about the modification of the CRP virus named as ADSL


A 3rd-party MAXScript known as "ADSL" can accidentally corrupt 3ds Max software settings.

The script can be propagated to other MAX files (*.max) on a system if scene files containing it are loaded into 3ds Max. This corruption is a nearly identical variant of the CRP corruption, but uses different variable names.

Security Tools in 3Ds Max Update 2 can detect and clean this script from your system startup scripts and any infected scene files.

http://help.autodesk.com/view/3DSMAX/2019/ENU/?guid=GUID-10254858-7E5A-4220-9960-C250CCE2BA56

Update 2

9 Jun 2019
Autodesk released official Security Tools for Autodesk© 3ds Max® 2019-2015 for clean next threats: ALC, CRP and ADSL worms.

autodesk security tools
autodesk security tools success cleaned

You can now download and install this tool for free for 3Ds Max versions: 2015, 2016, 2017, 2018. For 3Ds Max 2019 just install latest Update 2 with iterated solution.

If you have issues with the ALC/CRP/ADSL from older versions of 3Ds Max (2014 and previous) use Prune Scene!

For enable/disable protection you must add button on main toolbar: Customize → Customize User Interface → Category: Security Tools. Then Drag&Drop 3ds Max Security Tools on to main toolbar.

autodesk security tools main script

When run this tool you can see next window with one option enable/disable.


Update 3

15 Sep 2020
This article updated and added description for new dangerous types of threats: ALC2, PhysXPluginMfx, Alienbrains (mscprop.dll), DesireFX CA.


{{commentsMsg}}
  

No one has posted a comment yet
{{comment.lastname}} {{comment.name}} {{comment.date}}
{{comment.text}}


SUBSCRIBE TO OUR NEWSLETTER

{{subscribeMsg}}