The video appears to be a simple protest cartoon packaged in an executable file. But the 'Race for Tibet' movie also contains a piece of key-logging malware that installs itself as a driver.
The cartoon shows a Chinese gymnast performing in an event along with images from the recent riots and government crackdowns in Tibet. The user is then urged to join a 'race for Tibet' protest.
McAfee researcher Patrick Comiotto warned that the movie initially infects the user with a malicious driver. The file is installed in the '%windir%/system32/' driver folder under the name 'dopydwi.sys'.
The file then proceeds to create a .dll file that logs keystrokes which are later uploaded to a server in China.
The cartoon is the latest in a series of attacks that have tried to take advantage of the recent events in Tibet and the upcoming Olympic games in Beijing.
Malware-laden fake petitions and press releases were sent out to pro-Tibet groups in early March following initial rioting in the region.
By last week, the Trojan involved in those attacks was linked to a larger series of SQL website attacks.
Piggybacking on current events has become a common social-engineering tactic for malware distributors.
Events ranging from the Virginia Tech shootings to the execution of Saddam Hussein have been exploited by hackers to infect unwitting users.
Malware writers cash in on Olympics
By Shaun Nichols on Apr 16, 2008 7:45AM