Bogus Video Game Crack Leads to Rootkit

Matthew, one of our malware researchers at the AV Labs, came upon a MediaFire link on a YouTube account that purports to direct users to a site where a crack code for the video game Pro Evolution Soccer 2012 (PES 2012) (otherwise known as World Soccer: Winning Eleven 2012) can be downloaded.

click to enlarge

Of course, one doesn't need to go hunting for a YouTube page for the URL. Here it is: http://www(dot)mediafire(dot)com/?i1o0fsa9t5gvpld.

Users visiting the page can readily download and extract the compressed file Pro Evolution Soccer 2012 Keygen. In it are three files: an HTML file, a text file, and another compressed file, which contains the key generator application. The text file doesn't actually contain the password it claims to have. Instead, it contains a shortened URL users must visit to get the password from.

click to enlarge

http://tinyurl(dot)com/64ad4m is actually http://lnkgt(dot)com/7RM, a survey page that users must answer before their password is given to them.

click to enlarge

Unfortunately, after users fill in the survey, gets the password to be used to run the keygen, they inevitably end up installing malware on their systems. Not just any malware; it's a rootkit: ZeroAccess, a sophisticated rootkit known for overwriting critical OS files. Luckily, almost all AV vendors detect this one. Take a look.

Do note that the MediaFire URL is also mentioned on other website platforms that allow the embedding of video clips (such as the one below).

click to enlarge

The more the URL is out there, the more likely someone can and will install the rootkit onto their systems. Stay safe, everyone!

Jovi Umawing (Thanks, Matthew)