Wemod (Newest Version) antivirus issue

The newest version of Wemod now has the Emotet Trojan. I have pulled it apart using several different anti-virus programs, as well as a virus inspection kit… and it looks malicious. Can some mods please get back to me regarding this, and let me know what purpose Emotet has being baked into this program?

I don’t want to be banned. I love this program… but this needs immediate attention.

Trust me it’s not a trojan… It’s completely safe to use… it’s just because it uses things like cheat engine and common commands to pull info out of the game into the app to change certain things like for example (Health, Ammo ect)

It is a false positive. We are working on getting all these removed. What AV is reporting this?

Bitdefender is telling me that there is a Trojan.Emotet.Gen.3 in the Wemod setup. I didn’t have this problem with Infinity but I don’t want to risk it

Bitdefender has always given false positives. We are working to remove these, but I can assure you it’s not a problem.

WeMod is Infinity. It’s the same application with a new name and design.

Yeah, same issue here on Webroot. Except that it is on my side a Adware.Gen
Now I did not have that with Infinity, just like @Solmus but it makes me nervous to see viruses up to paranoia. I’ll just wait 'til I see some fix for it. :confused:

not sure how long you’ve been here but with every launch of a new version some av’s especially the bad ones have given a false positive for Infinity/wemod.

I can assure you that WeMod is not a virus. We made some internal changes to combat the false-positive detections, and we’ll be reaching out to more AV vendors in the upcoming days. Try downloading and installing the app again.

Yo it’s a false positive, I get those all the time when downloading exploits / trainers if it’s not letting you download it just disable your anti-virus for it to work.

Same I’m using Emsisoft which is using Bitdefender’s and it’s own engine. Here a virus total link if you want to see the results: https://www.virustotal.com/#/file/5774dde799c3642895357ad2821de90387813ab59263fe0736888b6e898de017/detection

I’m gonna do a little breakdown: Before you will read this, I have nothing against WeMod I personally love them, I just got scared suspicious when the new update came out, so I’m here trying to help the staff with a breakdown and some screenshots. Please excuse my english and spelling mistakes, I’m Hungarian. And by no means I’m a ‘professional malware detective’ or smthng.

I’ve tested the file on a virtual machine and found nothing malicious after the installation. I’ve been using this software for like 7 months now and never had any “virus” problems with it except for this one, the new update.
I’m kinda paranoid of viruses, 2 years ago I got a bad adware on my old pc and eversince I’ve been trying to be really careful with any file I get from the internet. Again, I trust you guys but I will wait till this is fixed I think.

I will try to help and provide you some screenshots of the detections because it detects multiple files as malicious (all of these screenshots are captured on a new VA I created to test the file, so excuse if it has Microsoft Edge on it hahaha):

So first one, the file can not be downloaded, Microsoft flags it as a virus.

When I execute the file i get this: (The red says ‘Suspicious activity has been detected and moved to quarantine’)

Then I would add it to exclusions:

When it’s on my desktop again, I run it then this happens: (It says suspicious activity detected and stopped, [on the bottom-right it says ‘Wait, this might be safe’ and then I click on that])

Then when the setup succeeds, the real-time protection notifies me about a potential threat that has been doing stuff in the background.
This is a notification about a file being changed (basically this system is for ransomwares and notifies you about any file changes, this doesn’t mean it’s harmul that the changes are harmful, it’s just a notification, if it’s harmful the whole tab would be red instead of yellow…)
Then I would click on ‘Update Rule’ and that’s all, the program runs great after that but let’s not forget about the aftermath, so here’s the scans of the aftermath:

First scan with Emsisoft (keep in mind I took the file out from the exclusions in order for the scan detect everything related to this file)
It detected only the installer.

Second Scan, with HitmanPro. This is where things are started to get weird and my heart started beating a little. (I tested the file before at 3pm, it’s 9pm now [the time that this post is getting created] and the tracking cookie wasn’t there 6 hours ago so that’s weird.])

The setup that Edge flagged as a virus (this is just the cache of Edge) :
Location: C:\Users\asd\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC#!001\MicrosoftEdge\Cache\WOG2NWDJ

Detection (Hitman Pro uses a selection of other AV’s signature, BitDefender as it’s main if it’s possible):

Moving on to the installer that is directly on the computer:
Detection names and Scoring are the same.

For some reason I can’t open more info on the tracking cookie.

Malwarebytes scan:
Again, only detected the installer.

Last but not least, when uninstalling (just a notification):
This window pops up once and when I press Update Rule it pops up again, then if I click it again, it will disappear.

That’s all, I don’t have the time for a manual malware ‘scan’
I hope you understand this situation, and I created this post to maybe help some staff members.
I love WeMod and I will keep using it, but first I want to see these detections fixed (These days I don’t trust anything, so that’s why I’m this ‘careful’ or stupid as people would see.)

Full list of the screenshots: https://imgur.com/a/w1oG0nM

End note: I love you and don’t ban me please

“Trojan.Emotet is a Trojan horse that downloads potentially malicious files and may carry out malicious activities on the compromised computer.” Im pretty sure that’s what everyone is saying it is and it really isn’t, I’ve had it for a while and when the new update came out I downloaded it and nothing happened to my pc, nothing was downloaded, and all was fine. I wouldn’t worry about WeMod having a Trojan anytime soon.

Thanks for the in-depth analysis! Have you tried with the latest installer? It was updated about 30 minutes ago.

Thanks for your reply. No I didn’t try the newest one, but I will try it tomorrow since it’s getting late here in my country and will give you an update here.

1 Like

I just tested it, when the installation just finished, the standard file modification window pops up, but that’s nothing to worry about. Then after a few seconds this pops up (I finally made it english):
Here’s more info on it:

A few minutes after the installation a trojan installer detection pops up:
More info on it:

For now that’s all for the detections (only after a 10 minute wait)

Scan with HitmanPro:
Emsisoft and Malwarebytes didn’t find anything.

Tracking cookies location: C:\Users\asd\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC#!001\MicrosoftEdge\User\Default\DOMStore\CPRZYB2T

After uninstalling the program then scan it with HitmanPro I got the same results.

I manually uninstalled the ‘tracking cookie’ from Edge, and after a reinstall of WeMod, and system restarts the tracking cookie is completely gone, but I’ve done some research and visited Optimizely.com, so I came to the conclusion that it is not harmful.

1 Like

Yeah I’m as paranoid as you. (then why do i install cracks/viruses then and do not be stressed?!)

It is signed “Daring Development Inc.” which was the same signature of the good ol’ Infinity and Horizon, if it wouldn’t be then it would be SURE it was a viru–err… trojan or adware.

It’s a false positive. With every version of Infinity (WeMod now) some antivirus find something new. Mostly the ■■■■ ones. It takes time for Frank and Zach to contact every av vendor and get it cleared out of their system.
When I wrote to bitdefender once about it being a false positive they told me it’s impossible cause they’re the best so there’s that

Time to face my fear I guess… After all it’s a simple “adware”. I can always use my AV (Webroot B.T.W.) to stop this madness

After installing–well sorta, the installer was at 47% then just closed randomly… I’ll try again.
EDIT: Yep, installer done installing its stuff… but the smile at the end was CREEPY.

1 Like

Most likely your av is stopping the installation.