[Caution] Ransomware-typed malicious file disguised as a Diablo 3

1. Introduction

INCA Internet response team detected malicious Ransom-ware disguised as Diablo 3 related file. Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or a downloaded file. The program will then run a payload which will begin to encrypt personal files on the hard drive.

Ransomware :

Ransomware (also referred to in some cases as cryptoviruses, cryptotrojans or cryptoworms) comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.

2. Malicious file info

Diablo III is a dark fantasy/horror-themed action game by Blizzard Entertainment. Before its release, the game broke several presale records and became the most pre-ordered PC game of all time on Amazon.com. With popularity of this game, malicious attackers are using this game for spreading malicious files.

The name of this malicious file is "Diablo_III.exe" same as real Diablo's file. It copies itself in Application Data folder.

Upon executed malicious file, it changes registry to be executed on reboot and blocks to open Windows Task Manager. It changes OS background image and disturbs normal use.

HKLM\Software\Microsoft\Active Setup\Installed Components\{Gusfa7ep-lUCJ-Ed2r-Yvs8-fYwL6tnW7CxX}\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe /ActiveX
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
 DisableTaskMgr = "1"

Furthermore, it can change PC's name and OS version name.

hxxp://galbbza.com/partner2/universalpanel/gate.php?hwid=4281525696&pc=COMPUTERNAME&localip= XP Professional x32

Following figure is a case of disguised as GVU or official web site of Gesellschaft zur Verfolgung von Urheberrechtsverletzungen( German association that investigates cases of software, music, and motion picture copyright infringement)


Due to malicious file, following run screen will be shown. All input devices will be blocked except field for input code. To get code, victims need to pay 50EURO.

Various types of ransomware have been spread. The most popular technique is disguising as sent from a police or public institutions. It says that victim's PC was infected malicious behaviors and did illegal behaviors. User must need to pay in 24 hours, otherwise it will format all data in HDD.

Following figure is a page for ransomware.

3. Summary

These malicious files have been spread via hacked overseas web site and use MS OS/Office, Adobe Flash Player/Reader, and JAVA exploit. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function "ON"
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.