We have become aware of a new malicious computer virus/worm, and wanted to let everyone know about some good practices to help keep your computer and RuneScape account safe. There's no need to panic, but there are some precautions you should take.
The reason we are mentioning this worm in particular is because we believe that one version of it may attempt to specifically steal RuneScape passwords by recording your key presses as you type, and sending them back to the worm owner.

The new worm is called Bubbles, but is also known as Ramex, Skipi and Pykspa. Bubbles can get on to a computer in two different ways. Either by being downloaded directly from a third party website, or by a user receiving and opening a file disguised as a web link in third party messaging programs.

The worm cannot be transmitted through playing RuneScape or using the RuneScape.com website.

The security of the RuneScape servers themselves is in no way affected by this, this worms affect users own computers, not our servers which are very well protected.

The best protection against malicious computer software is to stay vigilant and use an up to date anti-virus program.

For anyone who is not currently using an anti-virus program, we really recommend that you install one as soon as possible! In fact install one right now!

If you do have an anti-virus program installed but it is not up to date, please take the time to update it with the latest virus definitions now. Again don't delay!

Lastly, you should never accept files from unknown sources full stop. However pay extra special attention when using 3rd party messaging programs or email as it is very easy to accidentally download malicious software by following a link.

Globalled.

Very important information. Putting on the site as well asap.

- Greetz Glodenox

Yeah lol, this is some pretty old news. There are tons of viruses like this. Some not so smart people on RS still need a reminding though.

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:



That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:



For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.



Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.



Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

Posted by Chris Mannon on September 19, 2007 01:33 PM | Permalink