Reply
 
Thread Tools Display Modes
Old 01-02-14, 04:00 PM   #1
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 6,892
Potential Trojan Account Threat

[Edit:] It seems it has been tracked down, and info provided on how to get rid of it:

Originally Posted by Kaltonis on Blizzard forums
To summarize for those of you that haven't read the green posts:

-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
Source


[Original post:]
Blizzard Custom Support just posted an alert about a Trojan virus that can compromise accounts even with an authenticator. So far there is no easy way to remove it besides reformatting your system, but Blizzard has posted instructions on what to do if your account has been recently compromised.

Originally Posted by Blizzard
Hello,

We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup
We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.

Your MSInfo.
A list of any addons you recently installed along with where you got them.
A list of any programs you recently installed along with where you got them.
Any security programs you have run and their results.

Last edited by Cairenn : 01-03-14 at 01:32 PM.
Cairenn is offline   Reply With Quote
Old 01-02-14, 04:50 PM   #2
Resike
A Molten Giant
AddOn Author - Click to view addons
Join Date: Mar 2010
Posts: 519
Jesus how can peoples get trojans like this.
Resike is offline   Reply With Quote
Old 01-02-14, 05:44 PM   #3
def9
A Chromatic Dragonspawn
 
def9's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2008
Posts: 190
For anyone that may not know how to create MSInfo as a file, Blizzard posted the information on battle net website. Look for obtaining system files under the support area to find the information. I'd post a direct link but if memory serves me correctly the forums rules ask us not to.
__________________
Krendis, level 90 Prot Paladin
Simkin level 90 Combat Rogue
Feldeemus, level 90 Frost Mage

Last edited by def9 : 01-02-14 at 05:47 PM. Reason: grammer
def9 is offline   Reply With Quote
Old 01-02-14, 05:56 PM   #4
Cairenn
Credendo Vides
 
Cairenn's Avatar
Premium Member
WoWInterface Admin
Join Date: Mar 2004
Posts: 6,892
Originally Posted by def9 View Post
I'd post a direct link but if memory serves me correctly the forums rules ask us not to.
Which forums? Theirs or ours? If ours, no we don't, not when it's to an official (ie trustworthy) site.
Cairenn is offline   Reply With Quote
Old 01-02-14, 06:04 PM   #5
Phanx
A Pyroguard Emberseer
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 3,951
Originally Posted by def9 View Post
For anyone that may not know how to create MSInfo as a file, Blizzard posted the information on battle net website. Look for obtaining system files under the support area to find the information. I'd post a direct link but if memory serves me correctly the forums rules ask us not to.
Here is the link with instructions on how to "create an MSInfo file" (what a misleading term, lol):
https://us.battle.net/support/en/art...g-system-files

The WoWI forum rules don't disallow posting links to informational pages, especially links to Blizzard's own website. What the rules do disallow is posting links to off-site downloads -- if you want to post an addon for other people to download, WoWI wants you uploading that addon to the site through the proper channels so it gets run through WoWI's malware scanner etc.
__________________
Author/maintainer of Grid, PhanxChat, ShieldsUp, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
Phanx is offline   Reply With Quote
Old 01-03-14, 01:10 PM   #6
def9
A Chromatic Dragonspawn
 
def9's Avatar
AddOn Author - Click to view addons
Join Date: Jan 2008
Posts: 190
Thanks for the clarification on acceptable links everyone. It also seems they've figured out the issue and our security programs are most likely already on board or will be soon.

Originally Posted by Kaltonis on Blizzard forums
To summarize for those of you that haven't read the green posts:

-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
Source: http://us.battle.net/wow/en/forum/to...92?page=10#189
__________________
Krendis, level 90 Prot Paladin
Simkin level 90 Combat Rogue
Feldeemus, level 90 Frost Mage

Last edited by Cairenn : 01-03-14 at 01:24 PM. Reason: Added link to official post ~ Cairenn
def9 is offline   Reply With Quote
Old 01-03-14, 06:05 PM   #7
Phanx
A Pyroguard Emberseer
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 3,951
How on earth does anyone get fooled by these fake sites? Even my grandma knows how to look at the address bar and tell whether it says "chase . com" or "fdsfu894037q583h24 . login-to . chase . com . cn".
__________________
Author/maintainer of Grid, PhanxChat, ShieldsUp, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
Phanx is offline   Reply With Quote
Old 01-05-14, 04:16 AM   #8
humfras
A Warpwood Thunder Caller
AddOn Author - Click to view addons
Join Date: Oct 2009
Posts: 92
Originally Posted by Phanx View Post
How on earth does anyone get fooled by these fake sites? Even my grandma knows how to look at the address bar and tell whether it says "chase . com" or "fdsfu894037q583h24 . login-to . chase . com . cn".
You don't need to convince people. All you need is some people foolish enough to believe in anything you say.
__________________
Author of CursorCastBar OptiTaunt Poisoner RaidMobMarker
humfras is offline   Reply With Quote
Old 01-05-14, 04:48 AM   #9
Phanx
A Pyroguard Emberseer
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 3,951
I need to find these people... I've got some beachfront property on the moon I need to sell them.
__________________
Author/maintainer of Grid, PhanxChat, ShieldsUp, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
Phanx is offline   Reply With Quote
Old 01-05-14, 05:17 PM   #10
pelf
Sentient Plasmoid
 
pelf's Avatar
Premium Member
Join Date: May 2008
Posts: 128
I think (some) less-computer-savvy people actually don't know what the address bar is. e.g. The people who do Google searches for URLs and then click the first result instead of just "a-m-a-z-o-n<Ctrl+Enter>" ... or even "a-m-a-z-o-n-.-c-o-m".
pelf is offline   Reply With Quote
Old 01-06-14, 01:05 AM   #11
Phanx
A Pyroguard Emberseer
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 3,951
Eh, that phenomenon isn't limited to the computer-unsavvy. I know more than one programmer who does it. When I call them out on it, their excuse is usually something like "uhhhhhh the Google box was closer to the cursor than the URL box!"
__________________
Author/maintainer of Grid, PhanxChat, ShieldsUp, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
Phanx is offline   Reply With Quote
Old 01-06-14, 12:12 PM   #12
MoonWitch
A Rage Talon Dragon Guard
AddOn Author - Click to view addons
Join Date: Sep 2007
Posts: 342
Originally Posted by Phanx View Post
Eh, that phenomenon isn't limited to the computer-unsavvy. I know more than one programmer who does it. When I call them out on it, their excuse is usually something like "uhhhhhh the Google box was closer to the cursor than the URL box!" :roll eyes:
My co-worker enters "google" into the google search box... I think that summarises my life
__________________
MoonWitch is offline   Reply With Quote
Old 01-06-14, 01:36 PM   #13
Phanx
A Pyroguard Emberseer
 
Phanx's Avatar
AddOn Author - Click to view addons
Join Date: Mar 2006
Posts: 3,951


IN GLORIOUS HD, BECAUSE THIS IS AN HD FACEPALM SITUATION.
__________________
Author/maintainer of Grid, PhanxChat, ShieldsUp, and many more.
Troubleshoot an addonTurn any code into an addonMore addon resources
Need help with your code? Post all of your actual code! Attach or paste your files.
Please don’t PM me about addon bugs or code questions. Post a comment or forum thread instead!
Phanx is offline   Reply With Quote
Old 01-09-14, 08:31 PM   #14
10leej
A Scalebane Royal Guard
 
10leej's Avatar
AddOn Author - Click to view addons
Join Date: Feb 2011
Posts: 426
Originally Posted by pelf View Post
I think (some) less-computer-savvy people actually don't know what the address bar is. e.g. The people who do Google searches for URLs and then click the first result instead of just "a-m-a-z-o-n<Ctrl+Enter>" ... or even "a-m-a-z-o-n-.-c-o-m".
I work with em all the time. They exists.
10leej is offline   Reply With Quote
Reply

Go BackWoWInterface » Site Forums » News » Potential Trojan Account Threat

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off