If you get big enough, they will come ….

[Cairenn]

And unfortunately for us, the “they” in this case are thieves, and they came. It appears that the people who are distributing the latest rash of trojans paid us a visit as well. We have determined that two of the mods on the site that have auto-installers were hacked and a trojan inserted. From our investigations, it appears that the incursion was on 30 Nov. Here are the details that you need to be aware of:


If you downloaded either:

KaoMod-20300.001.exe

or:

SewellUI

between 30 Nov and 02 Dec, you may have been infected.


We were first alerted to a possible problem via this thread on the Blizzard forum yesterday, 01 Dec, at 2am my time. We immediately quarantined the mod in question and ran tests on it. It appeared to come up clean, but continued digging determined that there was, in fact, a trojan hiding in it. As we continued to investigate, it became apparent that the person who did this only hit our fs2 (file server 2) database server. At that point (5 am my time), we immediately quarantined our entire fs2 and switched to fs1. fs2 continues to be quarantined until we can be sure that any infections are removed.


What you need to do

If you downloaded either of those files and think you may have been infected, here is what you need to do:

Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work.

Download: RemoveKeylogger.zip
(Contains one .bat file and one .reg file)

Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC).

OR, if you feel more secure doing it manually ....

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.

8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

• NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.

What we are doing about this:

We’ve installed another level of firewall on our servers, amongst other things. Effective immediately we will no longer accept any mod packages that include .exe or .msi (self-installers). Authors of existing packages that use self-installers will be contacted and required to change their packages to regular compression (.zip) files only, or removed from the site.


We’re very very sorry this has happened. Never before in the five years that we’ve been running our sites have we had anyone successfully breach our security and imperil our users. Trust that we will do everything we can to try to make sure it never happens again.

Once again, we’re really sorry.

[ScytheBlade1]

If you came up with printfpool.exe, once you have gone through and deleted the files and verified that you are indeed clean, you should remove the service that it installs to start itself with.

This is accomplished by typing "sc delete printfpool" in to the run box, or at cmd.exe.

[Cidan]

I'm sorry that this happened; it's really not as easy as most people think it is to lock down a server. I've had many a times where my server logs go crazy with people random-guessing my SSH logins or trying to exploit upload systems.

I do applaud the move away from MSI/EXE installers though. This will certainly help the aftermath and pretty much eliminate the problem.

A thought though; perhaps it would be wise for Blizzard to include a module installation system where developers can simply package a file up in a self-contained (NOT executable) file, ie: someMod.wowadd, and a program Blizzard provides would extract/place the files where they need to go. This is similar to what the Unreal engine does with UMOD's, etc, and it works out really well.

<3
-Cid

[Cairenn]

Continuing to have people dig at this, we know that Avast and Kaspersky don't pick it up, but AntiVir does.

[nthomas5143]

I got this problem and spent about 4 hours on the forums trying to fix it. Thank you for finding what files did it. Also check your System32 for mouse.dll and wzcsvbc.dll (NOT wzcsvc) these have also been deemed to be a cause of the problem. If you are uncomfortable w/ messing w/ your computers programming, a workaround is to rename your wow.exe to something like wowi.exe this will prevent this "virus" from executing. This is not a solution just a temporary fix until you can get someone who knows what they are doing on your computer. Also just to be safe, using a secure computer (pref. one w/o WoW installed) go onto the blizzard website and change your password.

Thanks again for finding and solving this problem, it basically rendered my custom UI useless and now i get to rebuild it

Hope this helps!

[Tekkub]

Just to clearify, the affected packages were not uploaded infected by the authors, but were modified by a 3rd party after they were already available for download, correct?

Just don't want people being suspicious of the authors here

[Dolby]

You are 100% correct. An ssh account was compromised that had access to the files. Guessing the attacker did a locate *.exe and found a few in the compilations area to replace with his/hers. So it wasn't our upload system that was compromised it was our secondary file server.

[unbeliever]

This has been driving me insane but it looks like I've finally know why this has been happening. I installed sewell UI between that period and none of his profiles (sewell125) would show up in fubar etc. and if I made any changes they wouldn't be saved. I tried deleting the wtf and interface folder, reinstalling sewell, installing different UI but still my mods wouldn't be saved.

I just found this post and the one on the wow site: http://forums.worldofwarcraft.com/th...68363293&sid=1
. I'm not an expert on these things, but aren't these 2 posts saying to do two different things to fix the problem.

If someone could give me some advice on the best way to resolve this problem that would be great......like I said this has driven me insane to the point where I wanna quit wow....

Is the sewell UI rar file all good? Because I would like to stick with it if possible.

[Cairenn]

Today's post is just an updated version of that one, since we have additional information to work with. As I just posted on the Blizz thread that corresponds to THIS one (not the incgamers one):

Quote:

Originally Posted by Cairenn

The instructions in the first post were just updated - as the members of the community dug further into it, we've been able to determine that it's the same trojan as hit incgamers earlier. It seems, however, that it's is almost like they got 1/2 of it and we got the other 1/2, so between the information obtained about theirs earlier this week and ours today, we should have it pretty well pinned down at this point. At least, we hope we've managed to find everything finally.

If you follow the instructions in this thread, it should hopefully clear it all up for you. If it doesn't, please let us know so we can keep digging.

In response to your second question - yes, the version of Sewell that you can get from the site now is safe and clean. It's the version from our fs1, which was never touched by the trojan. Alternately, you can just get his .rar version, which has no installer at all.

I'm very sorry you were infected.

[septor]

Quote:

Originally Posted by unbeliever

Is the sewell UI rar file all good? Because I would like to stick with it if possible.

From what I understand just the executables were bad.


---

Can anyone confirm if AVG can pick up these files? I haven't ran any of the files mentioned, but I'd like to know if the anti-virus software I'm using is good, or if I should switch to this AntiVir.

[unbeliever]

Quote:

Originally Posted by Cairenn

Today's post is just an updated version of that one, since we have additional information to work with. As I just posted on the Blizz thread that corresponds to THIS one (not the incgamers one):



If you follow the instructions in this thread, it should hopefully clear it all up for you. If it doesn't, please let us know so we can keep digging.

In response to your second question - yes, the version of Sewell that you can get from the site now is safe and clean. It's the version from our fs1, which was never touched by the trojan. Alternately, you can just get his .rar version, which has no installer at all.

I'm very sorry you were infected.

Thanks for your help Cairenn. The Sewell Ui is just so convenient, so once I remove the trojan I think I'll use the clean version.

I may be a noob but why would the makers of the trojan want to prevent you from saving your UI settings....I know they want to steall my password, but how messing with peoples UI help there cause.

Also does anyone know if McAfee picks these dll files up?

[Cairenn]

AntiVir and ClamScan are two of the few known to pick up this particular trojan, at this point. If you are concerned that you may have it, either pick up one of those to check with, or do a manual check.

[Cairenn]

Quote:

Originally Posted by unbeliever

I may be a noob but why would the makers of the trojan want to prevent you from saving your UI settings....I know they want to steall my password, but how messing with peoples UI help there cause.

Because if your WTF isn't saved, you have to type in your username and password the next time you log in, then they log your keystrokes.

[ReverendD]

One thing I don't see posted is any services that may be running that people can do a quick check in Task Manager to see if its there, or does it not run any service that shows there?

[Tekkub]

Quote:

Originally Posted by Cairenn

Because if your WTF isn't saved, you have to type in your username and password the next time you log in, then they log your keystrokes.

But, by clearing ALL your WTF, the logger makes it's presence VERY known... unless you're running all default UI... but if you were then infecting via an addon package wouldn't work...

[Arieth]

Quote:

Originally Posted by Cairenn

What you need to do

If you downloaded either of those files and think you may have been infected, here is what you need to do:

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.

8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

• NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.
  

What we are doing about this:

.

We have tried this solution and it hasn't worked for us.

Issue I had encountered:
* When we went into the reg edit that it wouldn't delete the "b" in wzxsvbc.dll

I plan to try to use the AnitiVir website to remove the trojan. Will this resolve my issue and will my account be reletivently safe or do I need to go forward with having Blizz shut my account down?

[unbeliever]

I just went home at lunch to try the fix. However it wont let me delete the wzcsvbc.dll file. I booted in safe mode (following all of the instructions in this post), I'm admin and I have permissions to delete system files. But when i try and delete the file using the cmd prompt it says access denied. I navigated to the file and tried to delete and again it won't let me.

Can anyone tell me what I'm doing wrong or offer an alternative method?

[Cairenn]

Not ignoring you guys, trying to see what else we can find to help you.

[antiarc]

Quote:

Originally Posted by septor

Can anyone confirm if AVG can pick up these files? I haven't ran any of the files mentioned, but I'd like to know if the anti-virus software I'm using is good, or if I should switch to this AntiVir.

AVG was not picking it up earlier this afternoon.

Quote:

Originally Posted by ReverendD

One thing I don't see posted is any services that may be running that people can do a quick check in Task Manager to see if its there, or does it not run any service that shows there?

There is no specific task. The DLLs with the trojan code are embedded at runtime into lsass.exe, which is a valid system process.

Quote:

Originally Posted by unbeliever

I just went home at lunch to try the fix. However it wont let me delete the wzcsvbc.dll file. I booted in safe mode (following all of the instructions in this post), I'm admin and I have permissions to delete system files. But when i try and delete the file using the cmd prompt it says access denied. I navigated to the file and tried to delete and again it won't let me.

Can anyone tell me what I'm doing wrong or offer an alternative method?

Make sure you boot into Safe Mode, not Safe Mode with Networking or anything like that. If it still won't work, try AntiVir - it will mark files that it can't delete for deletion on next boot.

[ReverendD]

Quote:

There is no specific task. The DLLs with the trojan code are embedded at runtime into lsass.exe, which is a valid system process..

Ok, this is what I was curious about. Ty.