Malware is being used to compromise World of Warcraft accounts around the globe, even if those accounts use an official authenticator.
UPDATE: The Trojan has been identified – it was tucked inside a fake third-partly client.
Blizzard spokesperson Jurannok made the announcement on the game’s forums, explaining that the team has received reports of a Trojan being used to steal gamers’ passwords. The software gets around the protective authenticator by working in real time, copying both account information and the authenticator password as you type them in.
If your WoW account has been compromised recently (we don’t have a timeframe for this), Jurannok recommends doing a little sleuthing to find the Trojan on your PC. Create an MSInfo file, and look for either “Disker” or “Disker64” in the Startup Program section.
You’re looking for this:
Disker rundll32.exe c:usersnameappdatalocaltempw_win.dll,dw Name-PCName Startup
Disker64 rundll32.exe c:usersnameappdatalocaltempw_64.dll,dw Name-PCName Startup
If you do find these traces on your system, please reply to Jurannok with the following information:
- Your MSInfo.
- A list of any addons you recently installed along with where you got them.
- A list of any programs you recently installed along with where you got them.
- Any security programs you have run and their results.
Unfortunately, there’s no good news about the next step just yet, as Jurannok explains:
We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system.
The malware affects gamers using both mobile and keyfob authenticators, as well as (obviously) those who do not use the extra security measure.
It’s not quite the way Blizzard would have liked to ring in the new year, but hopefully it’s been spotted early enough to raise the alarm and prevent too many more gamers from being affected.