NeoProgrammer infected my laptop

[definitelynotZozo]

Taking the issue #7 as a reference as it's completely related to what happened to me yesterday afternoon during my internship hours.

@lvent is right, those aren't false positives at all! I made the mistake of blindly opening this piece of crap on my personal laptop and got infected. You said that you believe that AV software may give false positives and that you don't trust this kind of software but from my awful experience I can guarantee that even Windows Defender that barely protects my PC was able to flag those files as malicious, even though it didn't stop their operations.

As I'm not just some random kid who barely touched a computer before doing this, when I saw that all of my previously downloaded exe files were popping back up with a last edit date of 13/02/2025 (DD/MM/YYYY) I had the good reflex of immediately turning back on Windows Defender then when I saw that it detected threats I cutted off any kind of access to the Internet on my laptop and rebooted into safe mode. From there I used some 2nd opinion scanners and Eset Online Scanner (not an ad) did an almost perfect job at removing those, including exe files that were in my Downloads folder and that got infected by this malware. I also dug through the Event Viewer and a tool from Nirsoft to go through Windows Defender logs (see Scr1 and Scr2 for proof - the 1st line in the logs is unrelated to this) and found out that it did a proper job at removing those from my PC, except the now broken 2 startup entries that I had to manually remove using Autoruns.

Scr1

Scr2

As I wanted to know if the driver installer or NeoProgrammer was the malicious program that made me lose an entire afternoon (and made me put BIOS chips reading besides) and a few hours of sleep I decided to run those (tried NeoProgrammer first then stopped when I saw that this was the culprit) on Any Run and found out that NeoProgrammer was the problem (see Scr3). (Any Run results)

Scr3

The infection and AV flags are completely unrelated to unsigned drivers as most of those would only be able to run in test mode or if you rebooted in the WinRE and chose to disable drivers signature enforcement at the next boot ; the real reason is that AVs usually compare those files signatures (or more commonly called hashes) with their databases to check if it already got flagged as malicious or not...

You can also re-open the issue #7 as you now got evidence that I got infected.

While not opening this in a VM and trusting this repo blindly was a big mistake from my side you're still responsible of the files you share in this repo thus you're also responsible for my infection.

If you don't think that's enough evidence I can also post a proper video on YT with how you can get infected and how to get rid of this without necessarily reinstalling Windows... (I could've reinstalled Windows but I prefer wasting half a day, a few hours of sleep and my browsers cookies than wasting days reinstalling and configuring 200+ programs and then log back into all of my accounts.)

[YTEC-info]

No one is responsible for what you do on your computer other than yourself! :)

I don't own any of the programs or code in this repository, I just gathered and organized the publicly available software/drivers/manuals for the CH341A. I initially created this repository for my own personal use only, I made it public just for convenience and to help anyone who wants to use it, I never disclosed or forced anyone to download, give stars or fork it.

Everything related to the Windows operating system has been removed from the main branch, everything is in the Windows branch

I'm accepting pull requests for Windows programs that make antiviruses happy :)

[kevadesu]

So you, as the owner of the repository, just decided to irresponsibly host malware on GitHub then blame the users just because you didn't double check the files that were in the repository before making it publicly available?

[redcooler]

No one is responsible for what you do on your computer other than yourself! :)

I don't own any of the programs or code in this repository, I just gathered and organized the publicly available software/drivers/manuals for the CH341A. I initially created this repository for my own personal use only, I made it public just for convenience and to help anyone who wants to use it, I never disclosed or forced anyone to download, give stars or fork it.

Everything related to the Windows operating system has been removed from the main branch, everything is in the Windows branch

I'm accepting pull requests for Windows programs that make antiviruses happy :)

Not only are you hosting malware on GitHub. But with your half-baked excuse of " just gathered and organized the publicly available software/drivers/manuals for the CH341A. ". and then dont give the authors any credit. Youre a real asshole

[tsingzhou1]

are you a animal？  why scolds me 发自我的iPhone

…

------------------ Original ------------------ From: redcooler ***@***.***> Date: Tue,Feb 18,2025 5:57 AM To: YTEC-info/CH341A-Softwares ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [YTEC-info/CH341A-Softwares] NeoProgrammer infected my laptop(Issue #18) No one is responsible for what you do on your computer other than yourself! :) I don't own any of the programs or code in this repository, I just gathered and organized the publicly available software/drivers/manuals for the CH341A. I initially created this repository for my own personal use only, I made it public just for convenience and to help anyone who wants to use it, I never disclosed or forced anyone to download, give stars or fork it. Everything related to the Windows operating system has been removed from the main branch, everything is in the Windows branch I'm accepting pull requests for Windows programs that make antiviruses happy :) Not only are you hosting malware on GitHub. But with your half-baked excuse of " just gathered and organized the publicly available software/drivers/manuals for the CH341A. ". and then dont give the authors any credit. Youre a real asshole — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> redcooler left a comment (YTEC-info/CH341A-Softwares#18) No one is responsible for what you do on your computer other than yourself! :) I don't own any of the programs or code in this repository, I just gathered and organized the publicly available software/drivers/manuals for the CH341A. I initially created this repository for my own personal use only, I made it public just for convenience and to help anyone who wants to use it, I never disclosed or forced anyone to download, give stars or fork it. Everything related to the Windows operating system has been removed from the main branch, everything is in the Windows branch I'm accepting pull requests for Windows programs that make antiviruses happy :) Not only are you hosting malware on GitHub. But with your half-baked excuse of " just gathered and organized the publicly available software/drivers/manuals for the CH341A. ". and then dont give the authors any credit. Youre a real asshole — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[roozerxc]

No one is responsible for what you do on your computer other than yourself! :)

I don't own any of the programs or code in this repository, I just gathered and organized the publicly available software/drivers/manuals for the CH341A. I initially created this repository for my own personal use only, I made it public just for convenience and to help anyone who wants to use it, I never disclosed or forced anyone to download, give stars or fork it.

Everything related to the Windows operating system has been removed from the main branch, everything is in the Windows branch

I'm accepting pull requests for Windows programs that make antiviruses happy :)

@YTEC-info Next time when you start "gathering" publicly available software, please test them on a virtual or sacrificial machine first before you upload them. Regardless if it is free and open source, or proprietary software, you need to test them thoroughly.

Unless you're too lazy to set one up yourself, not only are you foolish enough to think that your users should be the ones responsible for opening your infected executables, you are also completely irresponsible and careless. Nothing justifies your excuse even with the evidence and sample analysis provided (Thanks to @definitelynotZozo and @lvent)

The Windows branch will be reported to GitHub for malicious material(s) unless this is resolved along with #7 #13 #17

[definitelynotZozo]

I'm reading most of those answers quite a while after this incident happened, but I still have the same opinion as when I created this issue and I completely agree with @kevadesu @redcooler and @roozerxc (more on that right under this sentence)...

As @kevadesu said, you should check if the files you add to your repos are at least safe to use, or if not (which is the case with most programs in this repo), then warn potential users that would download those programs from your repo (the strict minimum would be to put a warning header on the readme.md and a README.txt file in the folders of each program warning those potential users that the files you uploaded might not be safe to use as you didn't bother to take the time to check if those were safe to use on our host PCs). And even if you don't "own" those programs (it's more likely that you wanted to say that you didn't make them, which has a completely different meaning), you're responsible for what you share with other users and thus, using the dogshit "I never disclosed or forced anyone to download, give stars or fork it" excuse which makes you sound like a 40 years old mother who can't bare to even admit that she's wrong, is proving that you won't even take the sole responsibility of making it safe for those users and that you don't even give a shit about our safety...

I just saw the warning in readme.md, which took you a good while to add after I created this thread. This should've been present way before I got infected, especially as many people (with less technical knowledge in this domain) warned you and all of those who read the issues #7, #13 and #17!

Not giving any credit to those people who made the programs you're sharing on this repo and not even giving the sources you got them from is quite selfish, especially as those aren't the easiest to find and as some users would also want to check if your sources are reliable. I won't add more comments to this subject as @redcooler comment was quite clear about this.

And to top up all of this I'm finishing with @roozerxc comment, which completes what @kevadesu said earlier.
I won't talk again about the hundred reasons why you're completely irresponsible and can't even admit what I may consider as your mistakes. I'll also be reporting the branch in which those programs are located and archiving this repo + all of those issues (threads) on my laptop (which is still working flawlessly after the disinfection // it seems like I completely got rid of it and got lucky enough to not get my creds stolen) so I can keep evidence, try to analyze those files and maybe reverse engineer those once I get enough knowledge on this subject (this will be a great way to mess around) or just send them to people who have more knowledge for a nice lil YT video.

In conclusion I can say that those programs work as expected (tested in a VM the next day) but the malicious part is completely unexpected behaviour from such software and shouldn't even happen in the first place. I still claim that I'm responsible for running this on my laptop only thinking that I'd get the expected behaviour, but NOT for being infected by some piece of crap that also looks and acts like it was made in the 90's!

[Kippykip]

Ah shit that's what stuffed mine, I thought it was this cracked WintoUSB install I got that screwed everything up!
It had a fake explorer.exe and svchost,exe in the C:\Windows\System directory (not system32)

With them flagged as hidded + system operating files. Had to go to folder options to make them visible

[LtqxWYEG]

Ok, seems like ALL your Windows programs that you hosted were infected with the SAME trojan. Weird, huh? Almost as if YOU were the culprit all along... hmmm. xD

Anyway, there are still save downloads for NeoProgrammer. This one is definitvely save, as Virustotal, KVRT and Windows Defender find nothing: https://elektrotanya.com/cgi-bin/download2.cgi?dk=1k6vet2brxtn1ggygsmqu8pk7tq24dx0o8g2idylkqjo2c82&fid=367032&file=neoprogrammer_v2.2.0.10_for_ch341_program_driver_example_scripts_and_adapters_info.zip

Here's a safe Colibri download: https://filedn.eu/lXtsaQwba4wStcw7n13ojfX/Available_In_ARB_Hosting/Bios_Programmer/ch341a/Colibri%20version%201.01.63.zip

And here is a safe CH341A Tool download: https://github.com/tomek-o/CH341A-tool/releases

[definitelynotZozo]

It seemed like so, but when I tested again with the actual Windows branch in Triage sandboxes (results here) it seemed like only the folder that contained NeoProgrammer with a driver installer were infected by MOFKSYS, which once ran, spreads through executable files in your Desktop and Download folders, and it keeps some kind of persistence by making those fake svchost.exe and explorer.exe in C:\Windows\System.

I'll give a try to the allegedly "safe" copies in a sandbox and I'll send the results here once I'll be done testing them.