A reader alerted us to new malware aimed at online gamers.  Over at Teamspeak (providers of a very popular voice communications program used by gamers) some users signed up for their discussion forums received an email like this:

-----Original Message-----
From: nospam@goteamspeak.com
Sent: Saturday, April 14, 2007 8:49 PM
To: <deleted>
Subject: New Team Speak Patch [Link Inside]

Now you can download new Team Speak patch. It will help you to use our
Team Speak servers.
We advise you to download it now
hxxp://www.goteamspeak.com/downloads/patch.exe

Many of our seasoned readers know where this is going.  Unfortunately many gamers are not as aware of computer-based social engineering tricks and very likely downloaded "patch.exe" without a second thought.  We downloaded the malware (it is no longer available, so happy hunting if you are looking for a sample) and ran it through VirusTotal.  The results were not encouraging.  The only hits we received were:

Antivirus	Version		Update		Result

CAT-QuickHeal	9.00		04.14.2007	(Suspicious) - DNAScan
ClamAV		devel-20070312	04.15.2007	Trojan.Spy-4392
Fortinet	2.85.0.0	04.15.2007	W32/LdPinch.BEO!tr.pws
Ikarus		T3.1.1.5	04.15.2007	Trojan-PWS.LDPinch.1607
Kaspersky	4.0.2.24	04.15.2007	Trojan-PSW.Win32.LdPinch.beo
Panda		9.0.0.4		04.15.2007	Suspicious file
Webwasher-Gtwy	6.0.1		04.14.2007	Win32.Malware.gen (suspicious)

Aditional Information

File size: 48640 bytes
MD5: 488b22114f1a08dc68a7e2cc34bf1d01
SHA1: 3da87252c917493e591c6ea222637910fff07a5e

There was some discussion a few hours ago in the TeamSpeak forums, but currently the forums appear to be offline.  We'll keep monitoring this and will post any updates if needed.

UPDATE (2157 UTC)  The forums are alive again.  Follow the link above to see what is being discussed.  There is a lot of speculation that the evil file was inserted due to vulnerabilities in TeamSpeak's forum software. 

Marcus H. Sachs
Director, SANS Internet Storm Center