World of Warcraft Trojan found in third party client

The malicious trojan that was compromising World of Warcraft accounts has been identified.

Turns out, writes Blizzard Support Agent Kaltonis, the malware was tucked away inside a fake – but working – Curse Client. It gets more complex – the fake client was downloaded from a fake – but (mainly) working – version of the Curse website.

Gamers searching for “curse client” on major search engines were finding the (false) site, downloading the (false) file, and installing the (very real) Trojan.

Technical Support staff Ressie explains:

The problem isn’t Curse. The problem is people searching for Curse Client, and clicking on an ad instead of the actual Curse site. The genuine Curse Client is clean. The problem is people not watching what they’re clicking on or installing, and getting a fake that gives you malware as well as the real client.

While the Trojan is still not recognised by a number of antivirus programs, it’s being picked up by others, including Ad-Aware, BitDefender, McAfee and Symantec. More are being added all the time.

The easiest way to remove the Trojan is simple: Delete the fake Curse Client, and run an (updated!) Malwarebytes. You no longer need to reformat your computer.

If there are still issues, try this:

  • Download AutoRuns:
    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
    Run Autoruns.exe
    Find Disker & Disker64 in the list. Uncheck the boxes on the left for each line, then right click each, and select “Delete”.
     
  • Download ProcessExplorer:
    http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
    Run procexp.exe
    Under explorer.exe, you should see a rundll32.exe under it. There may be several, so find the one that when you hover over it, the popup text says “Disker” and/or “Disker64”. Right-click the rundll32.exe, and select “Kill Process”, and click OK.
     
  • Download SuperAntiSpyware:
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
    Uncheck both options in the bottom left, and click Express.
    After it installs, close it.
    Navigate to the
    c:usersnameappdatalocaltemp
    folder, where “name” is your username.
    Right click w_win.dll, and select “SUPERDelete File Removal”. It’ll bring you to a screen askign if you REALLY want to delete the file, and to type YES. Type YES.
    Do the same for w_64.dll.
     
  • Reboot normally and it should be gone.
     
  • Uninstall SuperAntiSpyware, and delete processexplorer & autoruns.

Kaltonis continues:

For those of you interested in these MitM style attacks, this is the only confirmed case we’ve seen in several years outside of the “Configuring/HIMYM” trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!

Hackers gaining access to your World of Warcraft account might not seem like much more than a nuisance, but the implications can be far-reaching. By stealing your Battle.net address and password, the hackers potentially have enough information to access your email account or Facebook page – even your online banking details.

This should not just be a reminder to not download software unless you’re sure you know what it is – but also to use different, unique passwords online.

Tags: , , , , , , , , , ,

Facebook Google+ Linkedin Pinterest Reddit Stumbleupon Tumblr N4G Twitter