What is Spy CA?
Spy CA is a new class of viruses that can be delivered along with third-party 3D models downloaded from online resources or 3D Stocks.
The virus is a Maxscript code that is written to the Custom Attributes of an object and is executed when a scene is opened, a model is merged, or an object is manipulated.
I did reverse engineering during which I learned that the script affects the following:
- Long opening of scenes
- Creation of unwanted files in the system along the path c:/Users/[User]/AppData/Local/
- Creation of unwanted attributes in objects
- Sending data about a unique PC identifier to the C&C server
- Disabling 3Ds Max Security Tools by overwriting settings in 3dsmax.ini
If you are using Security Tools and see a message like the one in the picture above, it means that you are infected.
In 3Ds Max 2024 and higher, the script is blocked for execution, but the virus code remains in the Custom Attributes of the object. Therefore, there is a risk of transferring a scene or object with this virus to another user who does not have protection. As a result, the code may be executed on an unprotected computer, so I strongly recommend using Prune Scene!
Prune SceneHow does the virus work?
The virus creates a mac.dat file in system files with information to be sent to the C&C server. Usually a unique identifier is written there.
Personal data is sent: MAC address, unique identifier and other information to a remote server at https://api[.]yutu[.]cn/blackBox/checkData in China.
The virus also tries to completely disable 3Ds Max Security Tools by overwriting the settings in 3dsmax.ini!
At the moment, this is all the actions of the virus. But with a large number of objects with similar Custom Attributes, the scene slows down significantly when starting or when manipulating objects.
How to detect Spy CA?
There are several ways to detect this virus:
- When Security Tools is enabled, you will see a message (screenshot at the beginning of the article)
- When Prune Scene is installed, you will be notified that this virus has been removed
- You can manually check your scene, how to do this read below
Manual way to detect Spy CA. Open Maxscript Listener, copy and paste the following line and press Enter:
The result of executing the line should return: false. If the execution result is: true - you are infected!
How to remove the virus completely?
Unfortunately, 3Ds Max Security Tools only blocks the execution of this virus and the most effective way is to use Prune Scene.
Prune Scene will completely remove all Custom Attributes from the scene that use malicious code. The most important thing is that it does it automatically!
This virus can also be cleaned up easily and manually by doing all the objects in the scene Convert To Mesh, then Convert To Poly, in order to remove Custom Attributes.
Conclusion
Spy CA poses a serious threat to 3Ds Max users, capable of injecting malicious Maxscript code through Custom Attributes of objects. Even though new versions of 3Ds Max block the execution of this virus, its presence in scenes remains, presenting a potential danger to other users without appropriate protection.
It is recommended to use tools like Prune Scene to completely remove malicious attributes and prevent virus transmission. It is important to exercise caution when working with files downloaded from third-party sources and regularly check scenes for such threats.
The text of the article has also been updated, where I keep a log of all viruses and threats for 3Ds Max. I recommend reading:
Attention ALC and CRP viruses in 3Ds Max!