SophosLabs received an unusual file today in the form of a supposed game installer called Project:Snowblind .
Project: Snowblind is a multi-player first-person shooter (in the same genre as Doom) released by Eidos Interactive a few years ago.
Upon running the application, the installer nonchalantly displays the following information complete with EULA as shown (please click on the picture to see a more detailed diagram):
Everything looks good so far, correct?
A closer examination reveals that the installation program comes with a little nefarious piece of malware (detected by Sophos as W32/Rbot-GXL) that will drop a file called vghhost.exe. This file is actually a network worm as well as an IRC backdoor Trojan.
As is typical of most IRC bot worms, it includes the standard “bot package” which allows remote access from an external intruder into the infected computer so as to perform screen captures, log information, perform port scanning, and the setting up of a proxy server on the infected host machine. It also attempts to worm itself to other networks by performing a weak password attack or using the LSASS (MS04-011) vulnerability exploit.
These days, to the unintiated, it can be difficult to distinguish a legitimate piece of software from a malware sample. When it comes to web downloading or running a downloaded file or accessing a website, it always pays to pause and think. Be vigilant and practise safe web surfing habits and to regularly update your operating system via software patches and your anti-virus software.
If you need to download legitimate freeware games, please do so directly from reputable websites or from the game publisher’s website (wherein possible).
Remember: The adage still holds true. If something is too good to be true, it usually is.