Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Microsoft Says Malware Plays Starcraft 2.

13 Sep 2010   #1

Win 7 Ultimate 64-bit. SP1.
Microsoft Says Malware Plays Starcraft 2.


Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats (Bubnix, FakeSpypro, Koobface) to download their malware into computers. We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of Liberty to get malware-infected counterfeit versions of the game into users’ computers. Included in the Microsoft Malicious Software Removal Tool (MSRT) since October 2006, Harnig is one of the most prevalent malware families. In August 2010 alone, more than 140,000 files were detected as Harnig.gen!P.

The sample that we analyzed (SHA1: b5e2085c4f7554f53a406431aaea942da73d8b9e) uses the Starcraft 2 icon as a bait, as you can see below, to trick the user to click on it.

Once it is executed, it drops two files. One named activa~1.exe arrives as an obfuscated file and is detected as TrojanDownloader:Win32/Harnig.gen!P. The other one is named sc2.exe and is an actual copy of the Starcraft 2 executable.

Once we get through the decryption routines we can easily see that it tries to download additional software from and, which both point to the same IP address.

A quick look over the registration information for shows that it was registered in January 2010, by a Chinese registrar (BIZCN.COM, INC.) and it is currently hosted in Russia by Two other domains ( and resolve to the same IP address as Both of these are known to host malware.

Besides Harnig, a few other threats disguise themselves as Starcraft 2 components in order to get into users’ computers. One example is PWS:Win32/PWSteal.M (SHA1: a5fbdbb42488a3bab0687e4e3d7fe5e253c7a8c2). It doesn’t have the same icon as the original sc2.exe file, but nevertheless the idea is similar.
More -
Malware Plays Starcraft 2 - Microsoft Malware Protection Center - Site Home - TechNet Blogs

My System SpecsSystem Spec
13 Sep 2010   #2
WiFi Ed

Windows 7 Enterprise x64 SP1, Ubuntu 11.04 x64

Oh man....the Queen of Blades ain't gonna like this...
My System SpecsSystem Spec
15 Sep 2010   #3


I saw the title and I thought that Malware was a new name for children...
My System SpecsSystem Spec


 Microsoft Says Malware Plays Starcraft 2.

Thread Tools

Similar help and support threads
Thread Forum
Microsoft Arc Keyboard ... Plays the Piano?
Whenever I turn on my Arc Keyboard using the FN + Esc key combinations, the keyboard makes a long, sustained, high-pitch sound, and then plays a very rapid sequence of notes. Does anyone else notice the same thing about their Microsoft Arc Keyboard?
Hardware & Devices
Microsoft: Hardly anyone plays first-person shooters on the PC
Source: - Microsoft: Hardly anyone plays first-person shooters on the PC
Running Starcraft in Microsoft Way
After wondering where Microsoft would have stored Game information, I searched registry for Starcraft. Suddenly, I found out this weird feature. I searched for this registry key, but there wasn't much information available. It seemed like the key to get the colors working. Basically...

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:34.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App