New breed of worm steals gaming passwords

June 23, 2008 – 8:11 AM

A new generation of malware alware that looks for passwords to online games has emerged – and its success rates are stunning. Last patch Tuesday, Microsoft added special detection functions for two contaminants called Taterf and Frethog to its Malicious Software Removal Tool (MSRT). The results sent back to Redmond surprised even Microsoft’s malware specialists, who thought they had already seen it all.

On the first day alone, MSRT removed Taterf from 700,000 systems. In comparison, in the entire first month after the signatures for the Storm worm were added to the tool, only half that number of computers were found to be infected with the infamous bot network client. Online games such as Lineage Online and Legend of Mir are especially popular in the Far East. According to MSRT statistics, half a million systems in China alone were infected. But World of Warcraft and the Valves Steam client are also quite popular in the Western Hemisphere, where 230,000 Spanish systems ended up in third place.

Microsoft says that worms such as Taterf spread quite slowly by copying themselves onto all drives found and storing an autorun.inf file there. But contrary to the description in Microsoft’s Threat Research & Response Blog, you cannot be infected simply by inserting an infected USB stick into a Windows system. USB sticks and MP3 players generally log into the system as DRIVE_REMOVABLE, for which autorun is disabled by default in XP. Autorun may however be available via an arbitrarily titled default entry such as “Show me these awesome pictures” in the automatically displayed autoplay dialogue. The user does have to confirm this action manually, though that seems not to have presented much of an obstacle to the spread of the worms so far.

Microsoft describes on its support web site how you can disable autorun from CDs under XP – a change has to be made in the registry. Vista allows you to make the change from the control panel. To disable autoplay as well for even greater safety, a group policy is needed as well as a registry change.


You must be logged in to post a comment.