Is this a virus?

This is very obviously a backdoor.
If you want to know how I can easily figure this out: here’s what I did.

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse("\101\114\105\117\113\101\114"). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

So, the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned.

It then calls the require function with the asset id “5723263360”. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each-other in an attempt to hide the final script in the chain.
I’ve reached a script in the chain that’s obfuscated, I don’t have the tools to get through it so :confused:

TL;DR: The script uses require to get a chain of module scripts, which eventually leads to a server-sided backdoor.

12 Likes

You either removed the virus, or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

1 Like

The virus doesn’t pop up anymore even when I spam letters. I guess the insert catalog item plugin infected my place. I uninstalled it

If your problem is solved, make sure to add a Solution to the person that got you an answer.
This is so we can know what solved your problem.

As an alternative to the plug-in, you can insert items from the catalog using the Command Bar.
Copy & Paste this line, and replace AssetID with the ID of the item.

game:GetService("InsertService"):LoadAsset(AssetID).Parent=game.Workspace

2 Likes

RoSync has gotten pretty “popular” now it seems.
One of my games got infected with it too

even if you uninstall the plugin there still may be a backdoor, for example
I had I virus in my game that I couldn’t see but other players could, which is why I was never suspicious of anything until I was notified by a friend that he was getting pop-ups on his screen telling him that if he bought it, he would get admin in the game.
I went to see for myself and was confused because I never got any pop-ups , so I joined an alt and sure enough there it was.
I couldn’t see it on my own account that I had made the game on.
I tried everything to get rid of it, even without the plugin i still had it.
i had a small game so there were really any parts in there that it could of hid inside of either.

You may just want to double check just to be on safe side. :heart:

2 Likes

Yea I did double check, luckily it was my building place. I never used the plugin in my actual games.

1 Like

my friend is a great programmer and he told me this Capture

1 Like

100% the string.reverse("\101\114\105\117\113\101\114") means “require” (just do print(string.reverse("\101\114\105\117\113\101\114"))and I decided to go through the process and it led me here https://www.roblox.com/library/5245156880/ROBLOX. I am not going to deobfuscate that today since it will take possibly hours.

2 Likes

I don’t think this works anymore, what they do now is just use a ton of whitespace spam to hide it to the far right of the script.

2 Likes

Yeah I know that method, pretty common. But some viruses didn’t even have a horizontal scroll bar, and were able to hide their code in a comment and it actually executed. How did that even work lol.

It’s apparently a bug in the script editor where if you spam a specific ASCII character, it can hide text to the left of the script editor, making it unable to be seen. All you need to do to bypass this is to copy the script’s text and paste it in a different text editor. Thought it would’ve gotten fixed by now, though.

Edit: Seems like it also might fool the script editor into syntax highlighting it as a comment.

3 Likes

Rosync is a backdoor virus that comes from a plugin . If you are in team create with friends and when they make a script and Rosync appears, that means one of them has a fake plugin or a plugin that has a backdoor. If you want to get rid of it, all you have to do is tell your friends to send the link to each plugin they have and make sure it is the official owner and not made by a group. My friend is a scripter and that kept on appearing on every single one of his scripts and I got rid of it by making him get rid of plugins that were not made by the owner. I hope this helps :smiley:

4 Likes

yes, its very difficult to delete since its injected into nearly ALL of the in game scripts, and plus, it’s at the bottom of every one of them, so you can’t just press the delete all icon in the “Search in all scripts”, instead you need to delete every line with “RoSync” by hand, if anyone have any idea which plugin or asset caused this or how to stop this, please reply below, it would very mean a lot!

2 Likes

There are a lot of plugins that cause it/has the same virus injector.

Please do some research on your plugins before getting them, As you may come across something of the sort.

I’ve had a similar problem before and I just ended up checking the plugin 1 by one by turning everything else off except for 1 plugin, Then opened and edited a script and backed out. Test it a couple of times then go through the rest of the plugins if it isn’t the one injecting the scripts.

Developers such as XAXA, Quenty, buildthomas, CloneTrooper1019, and more are all trustable developers for plugins so you wouldn’t have to look into those too much.

Specifically, the plugins found on dev forums are also mostly trustable. Those which are suspicious you should take a look at for your games safety.

1 Like

Commenting on this, i may know how they did it.

So, the comment starts with --[[ and then random text.
And as you know, to start a block comment you do the exact same, and you close it by using ]], that is how you can put malicious code after it.

ex.image
Of course, the require() would be more spaced out to the side so you could not see it.

Any plugin made by rxdesire I believe has a virus. I had an intro creator by rxdesire and I had this same virus. Delete any plugins by rxdesire.

It seems like any plugin by rxdesire or I believe the group Creator Studio (it appears as rxdesire tho in the plugins menu) has this RoSync virus. I have this virus too, and everyone who has it seems to have a plugin by rxdesire. I would steer clear of any plugins by rxdesire, Creator Studio, or anything like it.

RoSync is a backdoor virus that comes from a plugin. Example; If you are in team create with friends and when they create a script and RoSync appears outta nowhere, that would mean that one of your devs has a fake/suspicious plugin or a plugin that has a backdoor. If you want to get rid of it, you would have to tell your friends to uninstall each plugin, and make sure it’s made by the original owner and not made by a new account/an alt.

You could either remove the virus or it’s hiding itself by deleting itself when RunService returns true from the function :IsStudio().

getfenv() returns a table of the functions and variables in the current environment. This can be used to easily attempt to hide a function.

In this case, it indexes string.reverse("\101\114\105\117\113\101\114"). If you see what this ascii code corresponds to “eriuqer”, which when put through the reverse function gives you “require”.

When the script uses getfenv() and escapes ascii code to hide the require index in that table that is returned. It calls the require function with the asset id. Upon further inspection this is a quote on quote “require chain”, which basically hooks up module scripts in a chain to require each other in an attempt to hide the final script in the chain.

The script uses require to get a chain of module scripts, which will eventually lead to a server-sided backdoor.

1 Like