this is actually relevant because the module is hidden in JointsService. this account may also be linked to the backdoors
also the display name of the user who owns that game distributes the models
1 Like
GG 
Took a bit to constant dump & locate all the crucial pieces of data, but the webhook has been snapped out of existence
4 Likes
hahhahah amazing job, that will stop it for a while. ill try look for more and use this same website.
I just looked at the account’s uploaded models, there are many infected freemodels. And actually, every virus script has a UDim2 value which looks like 500,19,674,61 which you can easily turn into id 5001967461 and all of them are game ids for all of his games. The account has many suspicious games uploaded
1 Like
ig that his malicious module gives him access to the infected games SSS to get a control of the servers they may even give that control to other users for money i amnot sure i said that because i saw smt like this before and it was for a exploit sold on discord that gave players ability to execute code in SSS in infected games servers or its called server side control ig and amnot sure that this one does this i didnot check it
but i kinda think that this does this bc of the thing in his module which was script.info.Parent = SSS
also the thing that i saw before which gave server side ownership was in a skybox i forgot its name but it was alot simpler than this one it was full of hex codes after i converted them i found that it also sends the infected game stats to a discord server stats like likes/dislikes/visits/thumbnail/name etc
I just spent a long time investigating further.
Turns out, the thing it gets from the game name and description is what it requires.
It uses string length encoding.
If you run this script, it prints “12131 7 7 9 2 9 2 2 7 5 2” but the virus script ignores the first 4 characters and spaces which turns that into “17792922752” which is the id of the require it runs.
b={Name="ModuleScript JointsService",Description="a ballers ballers beautiful ok beautiful ok ok ballers funny ok"}n=b.Name:split(" ")d=b.Name:split(" ")print((#n[1]or 0)..(#n[2]or 0)..b.Description:gsub("%S+",function(w)return#w end))
1 of the games it gets description and name from:
Game
1 Like
It’s very common for malicious scripts to parent their stuff under JointsService or other deprecated services. Judging by these release notes, Roblox is aware of this as you will soon get a warning in your output if anything is ever parented to the JointsService. I said soon because this is still pending for some reason.
in one of the other and im guessing older scripts, it sets the name of an empty module script to the id of the malicious file. youve done a great job figuring it out
1 Like
yeah, its weird that its still in pending when these are ongoing issues