Keeping Kerrigan from Infection

"Adun Toridas!"
Starcraft fans would recognize that as a famous line from the first Starcraft version, which was released in 1998. Starcraft is a real-time strategy game that became a massive hit worldwide. The release date for its sequel, Starcraft II: Wings of Liberty, is today, the 27th of July. Players can install the game but can only activate their licenses from this day onwards. Surely most gamers out there (including us) are eager to get their hands on this new title, especially if you were a fan of the first.
Here in the MMPC, we monitored this event as malware writers almost always attempt to take advantage of high-profile news, this being a prime example. Sure enough, we found samples that pretend to be Starcraft-related files but are actually malware.
For instance, "Starcraft_II.exe" (Sha1: ae648158b87d1513d2777ddb2233d3e83e2741c9) contains a file named "WinUpdate.exe", which is actually malicious and is detected as VirTool:Win32/VBInject.gen!DM. This is a generic detection for Visual Basic-compiled files that attempt to load other malware by injecting code into different processes.
Another interesting file we saw is "StarCraft.2.Wings.Of.Liberty.CLONEDVD-WW TRAINER.exe" (Sha1: fdaa5abd53256a3fb0ddca5d3dead622768b3ab2). We detect this file as Worm:Win32/Rebhip.A. After a bit of research, we found that it is available to download through the BitTorrent protocol. Worm:Win32/Rebhip.A is a worm capable of stealing sensitive information from your computer by logging keystrokes and gathering passwords.
Enjoy playing, as "we are vigilant" for any "nuclear launch malware detected."
--Andrei Saygo & Francis Tan Seng

Comments (0)

Skip to main content