Gaming Malware

Published: 2007-04-15
Last Updated: 2007-04-15 21:57:36 UTC
by Marcus Sachs (Version: 2)
0 comment(s)
A reader alerted us to new malware aimed at online gamers.  Over at Teamspeak (providers of a very popular voice communications program used by gamers) some users signed up for their discussion forums received an email like this:
-----Original Message-----
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]

Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
hxxp://www.goteamspeak.com/downloads/patch.exe
Many of our seasoned readers know where this is going.  Unfortunately many gamers are not as aware of computer-based social engineering tricks and very likely downloaded "patch.exe" without a second thought.  We downloaded the malware (it is no longer available, so happy hunting if you are looking for a sample) and ran it through VirusTotal.  The results were not encouraging.  The only hits we received were:

Antivirus	Version		Update		Result
CAT-QuickHeal	9.00		04.14.2007	(Suspicious) - DNAScan
ClamAV devel-20070312 04.15.2007 Trojan.Spy-4392
Fortinet 2.85.0.0 04.15.2007 W32/LdPinch.BEO!tr.pws
Ikarus T3.1.1.5 04.15.2007 Trojan-PWS.LDPinch.1607
Kaspersky 4.0.2.24 04.15.2007 Trojan-PSW.Win32.LdPinch.beo
Panda 9.0.0.4 04.15.2007 Suspicious file
Webwasher-Gtwy 6.0.1 04.14.2007 Win32.Malware.gen (suspicious)
Aditional Information
File size: 48640 bytes
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e
There was some discussion a few hours ago in the TeamSpeak forums, but currently the forums appear to be offline.  We'll keep monitoring this and will post any updates if needed.

UPDATE (2157 UTC)  The forums are alive again.  Follow the link above to see what is being discussed.  There is a lot of speculation that the evil file was inserted due to vulnerabilities in TeamSpeak's forum software. 

Marcus H. Sachs
Director, SANS Internet Storm Center
Keywords:
0 comment(s)

Comments


Diary Archives