Microsoft warned of 2nd iteration of malware, “We’ve seen a Harnig sample using the new release of Starcraft 2: Wings of Liberty to get malware-infected counterfeit versions of the game into users’ computers. Harnig is one of the most prevalent malware families. In Aug 2010 alone, more than 140,000 files were detected as Harnig.gen!P.”
The sample that we analyzed (SHA1: b5e2085c4f7554f53a406431aaea942da73d8b9e) uses Starcraft 2 icon to trick user to click on it. Once executed, it drops two files: “activa~1.exe” detected as TrojanDownloader:Win32/Harnig.gen!P, and “sc2.exe” actual copy of Starcraft 2 executable.
Besides Harnig, few other threats disguise themselves as Starcraft 2 components in order to get into PCs. One is PWS:Win32/PWSteal.M (SHA1: a5fbdbb42488a3bab0687e4e3d7fe5e253c7a8c2), an AutoIT script compiled into a stand-alone executable that drop and run various tools that gather credentials stored locally on your PC. Once it has gathered Steam account credentials, and user names and passwords from IE, Firefox, File Zilla or MSN Messenger, it’ll email them back to the attacker.