Steam just sent me an email to report a payload at the very end of "index.html" located in an .ns package of my game. Have you had this issue before? Is it some sort of virus or an expected behavior?
Here are more exact instructions to see the issue:
1. Install anti-virus (both McAfee and Sophos have caught the file)
2. Turn on active monitoring
3. Launch the game.
The payload is at the very end of “index.html†which is located in an .ns package. When the game is launched nw.exe will extract this package that the virus scanner should flag it.
The payload is visible in the file even without a virus scanner. You can also see the payload in this version of the file we extracted on a virtual machine.
pastebin.com/0TZGCPnp
At the end of the file is the payload section starting with <SCRIPT Language=VBScript>
In order to make your game available again, we need you to fix this so that the game files you are delivering to Steam customers does not include that script.
Your quick attention to this would be appreciated.
The payload is at the very end of “index.html†which is located in an .ns package; when the game is launched nw.exe will extract this package and the virus scanner flags it.
However, the payload is visible in this file even without a virus scanner. Also worth noting that a virus scanner will probably not catch the file during a normal scan since it’s packaged in a non-standard archive.
Here is the index.html file we pulled from matrino’s VM. You can clearly see the payload at the bottom of the file. pastebin.com/0TZGCPnp