Dangerous Games

10 Oct 2002
Virus News


The Internet worm "Fleming" has been detected stealing registration information from computer games. Kaspersky Lab, an international data-security software developer, announces the detection of a multi-component malicious program spreading itself via the popular Windows (.NET) Messenger program. The harmful code contains a "trojan" that hijacks registration information from the computer games Counter-Strike and Half-Life. Fleming also tries to download and launch other mal-intended programs from the Internet. At this time multiple infections have been registered. The Fleming Internet worm is a 32-bit Windows application (.exe file) with a size of 53,248 bytes and written in Visual Basic. The worm spreads via the Windows (.NET) Messenger Internet chat program that is built into Windows XP. The worm circulates a message written in English that proposes recipients download a program supposedly developed by the message's author. The message appears as follows: Fleming does not install itself into the system and is triggered into action only if users launch its code (for example, double-clicking on the program icon in Windows Explorer). When launched, Fleming attempts to download two files from the Internet site "http://home.no.net/downl0ad/". The names and save locations of these two files are:
C:\update35784.exe
C:\hehe2397824.exe
Next the worm connects with Windows (.NET) Messenger and waits for incoming messages. When it receives certain messages from the user "styggefolk@hotmail.com", Fleming sends out a reply containing registration information (CD-Keys) from Counter-Strike and Half-Life. Fleming also finds the Windows (.NET) Messenger contact list and sends its message to each entry.