Is this a virus?

If the script was randomly inserted into a part, or randomly appeared in your workspace then you do in fact have a virus.

I strongly encourage you to be more cautious with plugins or models you may use for your games.

This is not a ROBLOX feature it’s the plugins causing this. It has inserted a backdoor in the game. To find the backdoors, test the game and click alt+shift F. Then a window will open. Search things like teleportservice, get fenv, require. Check the scripts, if you see a script that is unfamiliar then DESTROY IT!

This is not a feature. I was working in team create when I noticed this comment, turns out one of my member had a infected plugin. If you scroll horizontally to the extreme right you will see some virus obfuscated code

I remember helping a user that had this same problem a couple of days ago.

This virus comes to your game by either using a fake plugin called “RoSync”, or through a free model.

What we did, is that we scanned the whole entire game. Then we deleted the malicious scripts and scanned again. And then, it was gone.

I do not know if it still works, as the virus came back the day after. -_-

1 Like

I play tested the game, there is nothing malicious when I searched gen fenv, require etc.

This is very obviously a backdoor.
If you want to know how I can easily figure this out: here’s what I did.

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse(“\101\114\105\117\113\101\114”). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

So, the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned.

It then calls the require function with the asset id “5723263360”. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each-other in an attempt to hide the final script in the chain.
I’ve reached a script in the chain that’s obfuscated, I don’t have the tools to get through it so :confused:

TL;DR: The script uses require to get a chain of module scripts, which eventually leads to a server-sided backdoor.

19 Likes

You either removed the virus, or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

2 Likes

The virus doesn’t pop up anymore even when I spam letters. I guess the insert catalog item plugin infected my place. I uninstalled it

If your problem is solved, make sure to add a Solution to the person that got you an answer.
This is so we can know what solved your problem.

As an alternative to the plug-in, you can insert items from the catalog using the Command Bar.
Copy & Paste this line, and replace AssetID with the ID of the item.

game:GetService("InsertService"):LoadAsset(AssetID).Parent=game.Workspace

3 Likes

RoSync has gotten pretty “popular” now it seems.
One of my games got infected with it too

even if you uninstall the plugin there still may be a backdoor, for example
I had I virus in my game that I couldn’t see but other players could, which is why I was never suspicious of anything until I was notified by a friend that he was getting pop-ups on his screen telling him that if he bought it, he would get admin in the game.
I went to see for myself and was confused because I never got any pop-ups , so I joined an alt and sure enough there it was.
I couldn’t see it on my own account that I had made the game on.
I tried everything to get rid of it, even without the plugin i still had it.
i had a small game so there were really any parts in there that it could of hid inside of either.

You may just want to double check just to be on safe side. :heart:

1 Like

Yea I did double check, luckily it was my building place. I never used the plugin in my actual games.

1 Like

my friend is a great programmer and he told me this Capture

1 Like

100% the string.reverse(“\101\114\105\117\113\101\114”) means “require” (just do print(string.reverse(“\101\114\105\117\113\101\114”))and I decided to go through the process and it led me here [ Content Deleted ] - Roblox. I am not going to deobfuscate that today since it will take possibly hours.

2 Likes

I don’t think this works anymore, what they do now is just use a ton of whitespace spam to hide it to the far right of the script.

2 Likes

Yeah I know that method, pretty common. But some viruses didn’t even have a horizontal scroll bar, and were able to hide their code in a comment and it actually executed. How did that even work lol.

It’s apparently a bug in the script editor where if you spam a specific ASCII character, it can hide text to the left of the script editor, making it unable to be seen. All you need to do to bypass this is to copy the script’s text and paste it in a different text editor. Thought it would’ve gotten fixed by now, though.

Edit: Seems like it also might fool the script editor into syntax highlighting it as a comment.

3 Likes

Rosync is a backdoor virus that comes from a plugin . If you are in team create with friends and when they make a script and Rosync appears, that means one of them has a fake plugin or a plugin that has a backdoor. If you want to get rid of it, all you have to do is tell your friends to send the link to each plugin they have and make sure it is the official owner and not made by a group. My friend is a scripter and that kept on appearing on every single one of his scripts and I got rid of it by making him get rid of plugins that were not made by the owner. I hope this helps :smiley:

5 Likes

yes, its very difficult to delete since its injected into nearly ALL of the in game scripts, and plus, it’s at the bottom of every one of them, so you can’t just press the delete all icon in the “Search in all scripts”, instead you need to delete every line with “RoSync” by hand, if anyone have any idea which plugin or asset caused this or how to stop this, please reply below, it would very mean a lot!

2 Likes