Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


When You Download World of Warcraft but .torrent File Is Fake, You End Up with PUAs

p12_0000

We all know about the dangers of torrents and pirated software, but nonetheless, there are still successful malicious campaigns based on popular torrent websites [and lesser educated users]. Such a campaign was just spotted by Symantec [who just acquired Blue Coat, but that’s food for other thoughts].

The security firm has spotted and analyzed fake torrents with names of popular games like Assassin’s Creed Syndicate, World of Warcraft: Legion and The Walking Dead: Michonne which actually download potentially unwanted applications (PUAs, or PUPs). Furthermore, it is suspected that the campaign takes advantage of legitimate affiliate pay-per-install programs. Be careful with .torrent files, and analyze them before proceeding with download.

You Know What a PUA Is, Right?

It’s the kind of suspicious software that makes your system vulnerable to a variety of security issues. PUAs or PUPs (potentially unwanted programs) can impact the system and its performance in many ways. Some PUP installations require user interaction. However, some unwanted apps can be more intrusive and can install silently, without the user’s awareness. This is not the case with the .torrent file involved in this particular operation.

Potentially unwanted programs can be bundled with other software (carefully go through the installation process to uncheck added software) or, in this case, can come through a fake .torrent file download.

When .torrent Is Fake: World of Warcraft: Legion and Other Popular Games Abused to Lure Users

Here is a list of popular games that are being abused in this malicious campaign:

  • World of Warcraft: Legion (Blizzard Entertainment)
  • Assassin’s Creed Syndicate (Ubisoft)
  • The Witcher 3: Wild Hunt (CD Projekt)
  • Tom Clancy’s The Division (Ubisoft)
  • Just Cause 3 (Square Enix)
  • The Walking Dead: Michonne (Telltale Games)

Users who are tricked into the scheme think they are downloading a .torrent file for one of the games mentioned above. If the user is caught up in the scheme and proceeds with the download, he will be provided with specific directions on how to continue with the installation. A User Account Control (UAC) security dialogue will be displayed to him to request confirmation for the download to be executed. If the user agrees to it, a redirection will be started and the user will end up downloading an executable hosted on Google Drive. Fortunately, Google has identified some of the malicious downloaders.

How to Spot the Irregularities with the .torrent File?

video_chto_takoe_starenie(.)exe

The very first thing that will catch the attention of a trained eye is that the promised .torrent file is an .exe. According to VirusTotal, the .exe in question is video_chto_takoe_starenie(.)exe. Also, the file’s size is another indicator, as it is too big for a torrent file – 3.5 MB.

Symantec’s detection for the PUA (PUP) downloader is PUA.ICLoader!g3. Other detections include:

  • Bitdefender – Gen:Variant.Symmi.62307
  • Dr. Web – Trojan.InstallCube.987
  • ESET-NOD32 – Win32/Adware.ICLoader.MB
  • EmsiSoft – Gen:Variant.Symmi.62307 (B)
  • Kaspersky – not-a-virus:AdWare.Win32.ICLoader.afvc
  • McAfee – Artemis!164FBBB04F06
  • Microsoft – SoftwareBundler:Win32/ICLoader
  • TrendMicro – TROJ_GEN.R00XC0EDE16

Keep in mind that the PUP downloader may initiate POST requests to several remote locations hosting adware:

188.42.244.143
188.42.244.207
apibiggo.ru
apifastmake.ru
apifastrun.ru
apiitheynow.ru
apiquicklygo.ru
apirapidlygo.ru
lolappiifastr.ru
lappiifaster.ru

The downloader can also check for virtual environments and silently download more PUPs onto the victim’s system. The worst part is that the additional installation of PUPs doesn’t require user interaction and no EULA is displayed to the user so that he can opt out. If you notice that your browser’s home page is changed, and browser shortcuts are either hidden or replaced with third-party browsers, you should consider scanning your system via anti-malware software. It has been invaded by adware and browser hijackers.

How to Remove PUPs Brought by video_chto_takoe_starenie(.)exe

Since the PUA downloader may have brought many PUPs to your computer, the easiest way to detect and remove all of them is by installing and running an anti-malware program. This is the most secure way to make sure your system is clean. However, if your knowledge in the removal of unwanted programs is above-average, you can also try and fix your system and browsers manually, by following the steps below.

Manually delete PUPs Brought by video_chto_takoe_starenie(.)exe from Windows and your browser

Note! Substantial notification about the PUPs Brought by video_chto_takoe_starenie(.)exe threat: Manual removal of PUPs Brought by video_chto_takoe_starenie(.)exe requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Remove or Uninstall PUPs Brought by video_chto_takoe_starenie(.)exe in Windows
2. Remove PUPs Brought by video_chto_takoe_starenie(.)exe from Your Browser
3. Fix registry entries created by PUPs Brought by video_chto_takoe_starenie(.)exe on your PC

Automatically remove PUPs Brought by video_chto_takoe_starenie(.)exe by downloading an advanced anti-malware program

1. Remove PUPs Brought by video_chto_takoe_starenie(.)exe with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against attacks related to PUPs Brought by video_chto_takoe_starenie(.)exe in the future
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.