Writing about the Neopets phish yesterday made me wonder if there are other scams out there targeting Neopets users (it wouldn’t be the first time). Sure enough, a quick scout around sites such as Youtube and…
Oh dear. A number of files are being promoted on forums and video sharing sites just like the one above (which was uploaded only two days ago), all of which are claiming to be the above “Paintbrush Generator”.
In Neopets, magic paintbrushes are incredibly rare items that can change the colour of your Neopet. These items can sell for absolutely insane amounts of Neopoints (the official ingame currency), and children will happily run a program such as the one above in order to get their hands on said paintbrush.
The problem is that none of these programs are real, and will all contain an infection file designed to target the parent whose PC the child happens to be using. Keyloggers, rootkits and Trojans are the order of the day. As you’ve probably guessed, this isn’t real:
Let’s assume our victim fires up the program and see how quickly something can go wrong:
An .exe called “Crypted” appearing in the Temp Folder? I think we can safely say things have gone wrong very quickly. Having a look through the file throws up some interesting finds:
The above text has appeared in the strings of many infection files, such as this one. Additionally, the code is packed with references to passwords and one or two GUIDs related to passwords too. If you happen to be running VIPRE then you’ll be protected:
Detections are good across the board for this particular infection file (36/42 detection rate on VirusTotal), but I imagine there will be a lot of variations on this over the next week or so until the people making these get bored and move onto something else.
In the meantime, if your children play Neopets you might want to sit them down, show them the screenshot of the “Paintbrush Generator” and advise them that these programs never, ever work and should be avoided at all costs. Additionally, directing them to the Neopets Security Page is probably also a good idea.