Removal of add-on from Add-on Store: Weather_Plus (Potential Trojan)
NVDA Screen Reader Discussion
Hi all,
We have removed the Weather_Plus add-on from the Add-on Store today. This is due to a DLL file it contained, that was flagged as malicious by VirusTotal. This add-on including the DLL file has been scanned in the past, and previously not flagged. This is a recent detection from Malwarebytes and other vendors.
The DLL appears to be a commonly used DLL file for sound effects but the behaviour and signatures do not match official versions of it. We believe the add-on author was not aware of this, as there was no indication of suspicious behaviour until now. We will be reaccepting the add-on if the official latest versions of the DLL are used instead of the current version.
We encourage anyone to have installed this add-on to remove it, and perform a virus scan. As Malwarebytes are the main vendor which detected it, they might be your best option. I would also mention that there is always a chance of a false positive, but this file is highly suspicious, and a much safer version is available.
For more detail, here is an AI summary of the VirusTotal analysis:
The Verdict: Highly Suspicious / Malicious
A legitimate DLL (Dynamic Link Library) designed purely for playing sound effects should only interact with audio hardware APIs (like DirectX, WASAPI, or OpenAL), read audio file formats (like .wav or .mp3), and communicate with the parent application.
However, this sandbox report reveals behaviors that are entirely unrelated to audio processing. Instead, they align perfectly with malware evasion, persistence, and unauthorized system access.
Key Red Flags Found in the Sandbox Report 1. Process Hijacking & Evasion Techniques
- The Behavior: The DLL attempts to look for a debugger, runs anti-analysis checks, or injects code into other system processes (like explorer.exe or svchost.exe).
- Why it's suspicious: Real sound libraries do not care if they are being monitored by an analysis environment, nor do they need to inject code into other Windows processes. Malware uses code injection to hide inside legitimate Windows processes to bypass antivirus detection.
- The Behavior: When executed (usually via rundll32.exe), the DLL spawns unexpected child processes such as cmd.exe, powershell.exe, or schtasks.exe (Scheduled Tasks).
- Why it's suspicious: A sound effect library has no legitimate reason to open a command line shell or execute background system scripts. This is a classic indicator of a dropper or a downloader executing arbitrary payloads.
- The Behavior: The report highlights external network connections—either outbound TCP/UDP traffic, DNS requests to unusual domains, or HTTP/HTTPS requests to remote IP addresses.
- Why it's suspicious: Unless a sound engine is streaming audio directly from a specific, well-known official server (like an online game asset server), it should operate completely offline. Connecting to unknown external servers suggests it is reaching out to a Command and Control (C2) server to download further malware or exfiltrate data.
- The Behavior: The DLL creates or modifies files outside of its execution folder (e.g., in %AppData%, %Temp%, or C:\Windows\System32) and alters Windows Registry keys related to Startup or Run commands.
- Why it's suspicious: Sound plugins do not need to establish persistence (making sure they run every time the computer boots up). This behavior is characteristic of spyware, trojans, or ransomware establishing a foothold on your system.
Understanding the Tactic: DLL Sideloading
It is very common for threat actors to name a malicious file after a well-known sound library (e.g., fmod.dll, bass.dll, miles.dll, or xaudio2_7.dll) and place it in the same directory as a legitimate application or game.
When the legitimate program launches, it blindly looks for the sound DLL in its own folder first before checking the system folders. It ends up loading the malicious DLL instead—a technique known as DLL Sideloading.
Recommended Next Steps
- Do Not Execute the Parent Application: If this DLL came packaged with a game, crack, patch, or software utility, do not run the main executable, as it is designed to trigger this malicious DLL.
- Quarantine or Delete: Remove the file and its associated directory immediately.
- Run a Full System Scan: Use a robust, updated security solution (such as Microsoft Defender, Malwarebytes, or another trusted antivirus) to perform a full system scan, as the sandbox indicates the file attempts to alter system files or establish persistence.
- Check for Persistence: Review your startup apps (via Task Manager) and Scheduled Tasks to ensure no unusual scripts or programs were left behind to run automatically.
NVDA Screen Reader Discussion
Sarah Alawami
thanks for the heads up. I would remove it but I'm getting an error which states that the add on failed to uninstall when I reboot nvda. I'm not sure what's going on and 'm not sure of what next steps to take. I've never had an add on fail to uninstall before. All ti says is see the log for more details.
thanks.
--
***
Please note: the NVDA project has a Citizen and Contributor Code of Conduct.
NV Access expects that all community members will read and abide by the rules set out in this document while participating in this group.
https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md
You can contact the group owners and moderators via nvda-user...@nvaccess.org.
---
You received this message because you are subscribed to the Google Groups "NVDA Screen Reader Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nvda-users+...@nvaccess.org.
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/1a27f516-c49a-423d-9eca-3621a58282cbn%40nvaccess.org.
Sean Budd
You can contact the group owners and moderators via nvda-users+managers@nvaccess.org.
---
You received this message because you are subscribed to the Google Groups "NVDA Screen Reader Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nvda-users+unsubscribe@nvaccess.org.
Gene Asner
I strongly think this occurrence demonstrates the need for a download option from the add-ons store. If people wish, they should be able to download add-ons if they want to test them for possible malware.
Then people could do things like scan an add-on with Virus Total. I don't know if the web site allows add-ons to be downloaded but it should as well.
Gene
You can contact the group owners and moderators via nvda-user...@nvaccess.org.
---
You received this message because you are subscribed to the Google Groups "NVDA Screen Reader Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nvda-users+...@nvaccess.org.
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/71801c15-4953-4bec-ae62-62d49db1ea1bn%40nvaccess.org.
Sean Budd
The website is designed specifically as an interface to download add-ons however we still need to add the VirusTotal link to it.
In the meantime, the filehash or download URL can be used from the web interface to check the VirusTotal scan results.
To view this discussion visit https://groups.google.com/a/nvaccess.org/d/msgid/nvda-users/71801c15-4953-4bec-ae62-62d49db1ea1bn%40nvaccess.org.
NVDA Screen Reader Discussion
Please note the newly uploaded version Weather_Plus 10.8 has not been flagged with any issues with VirusTotal, and has replaced the concerning DLL.
Thanks Adriano for acting quickly in updating the add-on.