Worm targets Grand Theft Auto IV (and everything else)
British newspaper The Daily Mail recently ran a story on a new Trojan that apparently targetted the newly released videogame Grand Theft Auto IV, being offered as a pirate download. We set out to find a copy of this Trojan which the story in the Daily Mail claimed was called Trojan-Downloader.Win32.VB.dck.
Logging on to the Gnutella network, we searched for anything related to GTA IV and quickly found several suspicious-looking downloads. We identified which sample was detected as Trojan-Downloader.Win32.VB.dck, the name reported in the Daily Mail. We were reassured to find this was already detected by Sophos as Mal/Generic-A. We have since given this malware specific detection as W32/Zipwire-A to provide more useful information to our customers.
In the above screenshot, the W32/Zipwire-A samples are all 113.3kb in size. Other results with obviously suspicious sizes, such as the 93.7kb one, are other malware. The malware itself was a zip file with an executable named Setup.exe inside. This was a Visual Basic program with some weakly encrypted strings. After a few minutes work decrypting them and looking through, I hadn’t found any references to the Grand Theft Auto IV, but I had found some interesting code related to LimeWire.
It turns out that the sample is actually a worm, not a Trojan, that is fully capable of propagating itself over the Gnutella network by sharing itself. What’s more, it doesn’t actually target Grand Theft Auto at all. In fact, we also turned up samples of W32/Zipwire-A when searching for several other popular games, including Team Fortress 2 and Two Worlds. Again, these samples are the ones that are exactly 113.3kb in size.
A little more digging in the executable turned up the reason for these share names — the worm actually picks names it thinks will be popular downloads, not by using any hardcoded list but by downloading pages from sites that index BitTorrent trackers. This is a novel technique and we can assume the reason Grand Theft Auto IV turned up in that list was because of the prevalence of illegal pirate copies on the torrent networks around the time of its release.
One of the sites trawled for popular names by the worm is shown below.
Slightly less novel is the IRC backdoor that forms part of W32/Zipwire-A, which is of the standard “join a channel and become a drone” variety.
This isn’t the first time we’ve seen malware that shares itself on peer-to-peer networks. Back in March we blogged about other malware that would return itself in search results, regardless of how ridiculous the search is. Again, as well as keeping your anti-virus software up to date, the best defence is not to trust illegal downloads in the first place.
Posted on May 16th, 2008 by Niall, SophosLabs UKFiled under: General
Free virus scan - Download the Sophos Threat Detection Test
