*Compromised accounts* Potential Trojan

Technical Support
Prev 1 2 3 17 Next
Hi,

Regarding this "Disker" Trojan, would I be able to use an app like the on-screen-keyboard to cure my paranoia?

Thanks in advance,

Me
This is actually, in a way, a good thing.

It seems the last couple of years have seen a rise in trojans to steal WoW accounts. Maybe we, as a playerbase, have become more wary of phishing attempts, and the hackers are now getting desperate.

And also, thanks for the updates! Let us know when the various malware and virus programs have definitions for them, yeah?
This trojan was reported in this very forum in March 2012. Is this a new variant?

I just fell victim to a man-in-the-middle attack on my account (which has an authenticator on it).
...
The key is called "Disker" and its Data string is: rundll32.exe C:\Users\<Your username>\AppData\Local\Temp\HIMYM.DLL,DW

Posted by "Shannon" on 3/20/2012
I performed a Google search for:

\appdata\local\temp\w_win.dll

and found someone else's analysis of a file by the same name here which lists some callbacks to Curse Client. Is it possible one of their builds was infected with something malicious?

http://www.file-analyzer.net/analysis/845/4883/1/html

I can't say this is the same file as I don't have a CRC check, but it would be worth investigating.

edit: Found another analysis. The thought that it is posing as, or was actually a Curse Client build is looking better. There are screenshots here:

https://malwr.com/analysis/ZDdkNjQ4ODljNDJjNDIyZGE1ZGMwNWQwMjJjMGRiZjY/

Both analyses were performed on 12/23/13.
For the BLUES
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=109638

looking around on it as we speak
It looks like Dr. Web CureIt currently detects and eliminates this particular trojan. I searched for the malicious DLLs in question and got two hits from their site:

http://www.drwebhk.com/en/virus_techinfo/Trojan.Siggen5.64266.html
http://www.drwebhk.com/en/virus_techinfo/Trojan.Siggen5.63622.html

It's properly identified as Disker and the DLLs are found in the locations indicated in the original post.

I'm not particularly familiar with Dr. Web, but they do appear to be a reputable anti-malware company, even if they're not all that well-known.

http://en.wikipedia.org/wiki/Dr._Web

It looks like they were the first to pick up on a widespread Mac trojan as well, lending a bit more credibility to their name.

I also found one more notable hit while researching this malware:

https://malwr.com/analysis/ZDdkNjQ4ODljNDJjNDIyZGE1ZGMwNWQwMjJjMGRiZjY/

That was uploaded on December 23rd. It's not quite as informative as the prior links, although the malware did appear to be detected.

This malware isn't heavily detected at this point. If anyone has any further information, please share it so that this can be properly identified and cured by more anti-malware software.
This is definitely zero-day malware at this point. If anyone has any further information, please share so that this can be identified and cured by more anti-malware software.


I'd hardly call it a zero day attack based on what is known about it, even more so given that we know it has existed for at least a year. Its more likely a popular program that many uses have hasn't been updated which leads to a known vulnerability being exploited to deliver the trojan. Much like most bad things on the internet.
Wondering if this is linked to the DDOS (or whatever it was) attacks the other day, or just an unhappy coincidence. Either way, I'm downloading Dr Web and giving it a whirl. Better safe than sorry, and I'll run all my other anti-virus/malware programs as well.
There post on net about DDOS attacks on Twitch/Bliz/Lol not sure if they all tie together but according to the news post it was
01/02/2014 02:22 PMPosted by Mortuary
I'd hardly call it a zero day attack based on what is known about it, even more so given that we know it has existed for at least a year. Its more likely a popular program that many uses have hasn't been updated which leads to a known vulnerability being exploited to deliver the trojan. Much like most bad things on the internet.


Eh, good point. Probably poor phrasing on my end.

What is important is that it does seem to elude most malware scanners at the moment, though. It's likely a modified version of what we've seen before.

It would be nice to know where people are picking these things up. It's incredible how people can unintentionally find so many ways to infect their systems. :P

01/02/2014 02:27 PMPosted by Sorenthus
Wondering if this is linked to the DDOS (or whatever it was) attacks the other day, or just an unhappy coincidence. Either way, I'm downloading Dr Web and giving it a whirl. Better safe than sorry, and I'll run all my other anti-virus/malware programs as well.


You shouldn't need to go through much trouble at the moment if you doubt your system has been compromised. Follow the instructions in Jurannok's original post before going through any additional hassle.

This would also be a "coincidence", I'm certain. A DDoS just makes a website or service temporarily unavailable.
I use the Desktop App to log-in, i'm always logged, i'm safe?

I have the same question
01/02/2014 02:31 PMPosted by Elitedk
I use the Desktop App to log-in, i'm always logged, i'm safe?

I have the same question


You're probably safe since the attack appears to use a man-in-the-middle attack. Once you manually enter your name, password, and authenticator code, it takes that information and uses it to immediately have you logged in elsewhere.

Ressy's assumption is likely spot-on:

01/02/2014 01:30 PMPosted by Ressie
I would assume you're safe until it asks for your authenticator code.
01/02/2014 02:30 PMPosted by Kodiack
I'd hardly call it a zero day attack based on what is known about it, even more so given that we know it has existed for at least a year. Its more likely a popular program that many uses have hasn't been updated which leads to a known vulnerability being exploited to deliver the trojan. Much like most bad things on the internet.


Eh, good point. Probably poor phrasing on my end.

What is important is that it does seem to elude most malware scanners at the moment, though. It's likely a modified version of what we've seen before.

It would be nice to know where people are picking these things up. It's incredible how people can unintentionally find so many ways to infect their systems. :P

Wondering if this is linked to the DDOS (or whatever it was) attacks the other day, or just an unhappy coincidence. Either way, I'm downloading Dr Web and giving it a whirl. Better safe than sorry, and I'll run all my other anti-virus/malware programs as well.


You shouldn't need to go through much trouble at the moment if you doubt your system has been compromised. Follow the instructions in Jurannok's original post before going through any additional hassle.

This would also be a "coincidence", I'm certain. A DDoS just makes a website or service temporarily unavailable.


I like to be careful, plus this is a nice reminder I'm due to do my monthly scan of my system for hidden nasties. :D
The nature of DDOS is that someone with too much time on their hands is sitting in front of a program that tells thousands+ of (compromised) computers to assault a web address with traffic, hoping to overload it and take it offline.

It is very different from packaging and deploying a Trojan, which involves (most likely in this case) knowing someone who knows someone who works on some software which is installed on many PCs where WoW runs, and slipping something nefarious in there. Per my previous post, I highly suspect Curse Client, but since they discontinued their support forums, it's frustrating to not have a consolidated location to see reports of their software misbehaving (which it HAS in the past).

Anyway, the two events (DDoS and Trojan reports) are absolutely not related in any way, and their appearance together this week is coincidental.
Scanned mine, came up clean - I use the same comp repeatedly (every time I log in, I don't use any other computers, had the same one for almost 7 years now); ran the MSInfo three times - once before, once on the log-in screen, and it didn't ping me for my Authenticator, so running it a third time.

My husband's, however, is another story. Loaded up, as soon as it asked for the Authenticator (running it for him while he's at work), it flagged a Spyware, though that one was removed (so I don't think it has anything to do with it, all the same). Running MSInfo to see if he has it or not.

If he does have it (preliminary scan isn't showing it, running it a second time to be absolutely sure), do we post the info here if so, or is there somewhere else you guys want this put in at? And will he need to call you, since he would have to log into the Forums as well, or can I post that information for him via an email or something (not sure how this is spread, so not even sure if that's safe).

ETA: Also - would you all recommend not updating addons and what not until after this is resolved? If it's an issue from Curse, I really don't want to update only to end up with this thing.
Does this affect Macintosh?

i don't think that it would affect mac since they don't use dLL files only windows
01/02/2014 02:40 PMPosted by Dominitari
ETA: Also - would you all recommend not updating addons and what not until after this is resolved? If it's an issue from Curse, I really don't want to update only to end up with this thing.


I highly doubt it's an issue from Curse. If you're using the real Curse Client (which can be obtained at http://www.curse.com/client), then you're probably going to be safe. When the Curse Client is at "fault" for infecting a system, it's almost always because the software that was downloaded wasn't actually the Curse Client, but rather malware that identified itself as such.
Could be a hidden malware inside one of the addons through curse client is what I think he was getting at. Most people don't even think about it if something that says curse pops up and needs to be installed. I'm highly protective over my computer..so I for one won't be updating any addons (I can do without thanks to Blizz adding addon like interfaces anyway) till this bugger if found and it comes out how the computers are getting infected.

Although like Kodiack said earlier "It would be nice to know where people are picking these things up. It's incredible how people can unintentionally find so many ways to infect their systems. :P" Most who get infected don't realize it till it's too late and most are too stupid to even remember what they did before everything went to hell in a hand basket.
Does this affect people using the "Battle.Net Launcher"? provided that you dont have to type in your password or authenticator.

Join the Conversation

Return to Forum