*Compromised accounts* Potential Trojan

Technical Support
Prev 1 5 6 7 17 Next
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?


Depends.. I uploaded it, and they haven't opened it just yet.

I'm just going through the list one by one submitting to the various AVs. Hoping I'll be done Soon(tm). :)
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
Strong work folks. I'm going to keep this thread to point people to who think that Curse is doing a bad job.


As well as people who insist that Blizzard customer service is so bad. This was pretty amazing to follow.
01/02/2014 08:13 PMPosted by Ressie
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?


Depends.. I uploaded it, and they haven't opened it just yet.

I'm just going through the list one by one submitting to the various AVs. Hoping I'll be done Soon(tm). :)
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech


Hello, great job all! i have been following this and its been very interesting. I am glad to hear that there may be a fix soon. Just curious- will AVG be one of the AV submitted too? I use AVG-Free... is that any good for protecting me, or should I pay and/or use a different program? Again, great work all!
Hello, great job all! i have been following this and its been very interesting. I am glad to hear that there may be a fix soon. Just curious- will AVG be one of the AV submitted too? I use AVG-Free... is that any good for protecting me, or should I pay and/or use a different program? Again, great work all!


Ressie did indicate in #wowtech that she sent this to AVG too. She reached out to most of the major AV vendors, as well as some medium-sized ones. Of course, once some AV software picks up on specific malware, it's not long before everyone else follows suit.

Your AVG Free should be enough to protect you, so long as you exhibit safe browsing habits online. :)
i would say avast free is better then avg

01/02/2014 08:47 PMPosted by Hannabev
[quote]Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?


Hello, great job all! i have been following this and its been very interesting. I am glad to hear that there may be a fix soon. Just curious- will AVG be one of the AV submitted too? I use AVG-Free... is that any good for protecting me, or should I pay and/or use a different program? Again, great work all!
how about Norton 360?
how about Norton 360?


i like macafee even nod32 is better then Norton is a system hog
Well that was fast. Awesome work, and thank you for working so hard to keep us less tech-savvy players safe! :>
You can see all the antiviruses which detect it already here:
https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388723212/

This includes Ad-aware, BitDefender, F-Secure, Ikarus, Mcafee, Panda, Symantec/Norton, TrendMicro-HouseCall & VIPRE.

These don't pick it up yet, but I've submitted the trojan to them:
AVG, Avast, ClamAV, Comodo, DrWeb, ESET/NOD32, F-Pro, Kaspersky, Malwarebytes, MSE, Norman, SuperAntiSpyware, Sophos, TrendMicro, nProtect.
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
2 things about Norton. They have worked hard and is not such a hog with current years version. However with parts of their source code being leaked, I would not trust their systems.
thank you Ressie =D
BTW, I do find it funny that TotalVirus is reporting it being detected by some of the AVs but good example is their virus name is being found detecting it back in 2008. Others have incorrect info on what it does, including "After it finds the file it searches for all shared folders and for each folder it finds it generates 255 copies of the virus.". Most of the time, these anti-virus venders detect generic signatures and might not actually detect this virus.

Again, we need more info. Whats in the .text and .data sections of the code? Why is MessageBoxA api being called? Is it using Netbios api to send the compromised info off? Why is it calling GetComputerNameA api?

These api calls need to be intercepted and trace the memory.

Now if someone does want to be helpful, send a copy of the dll file to twisted@whatistwisted.com
I am looking for both 32bit and 64bit versions. Lets get some of this info so we can better protect ourselves from this thing.
I'll keep Reesie's url handy. I run Kaspersky and it has been very reliable.
The Tech CREW Rocked.
And those whose tentacles are bent out of shape can just get over it.

I still got that quote--something about how Blizzard has some scary-mad skill wizards working for them (paraphrasing)..I'm still smiling. You guys saved me a massive head ache tonight. And I appreciate the all of you... my hat off to Ressie! <3
I am about 99% sure I am a victim of this. I will explain in length what I know of this..

Sunday (26th) I was browsing wowhead (homepage) and an adobe update came up. It seemed fishy but I went with it because it did have the adobe logo. I downloaded it and tried to run it but nothing happened so I moved on.

Then I got hacked..
This is how it went down. I was dc'd from wow on the 1st. I was then asked to put in my authenticator ( had not been 30 days since last input) and when I put in the authen, It took TOO long to register it so I re-input. My wife noticed that as I was trying to log in that in game I was coming on and offline a lot and we at the time just thought it was trying to connect. I couldn't get back on so we walked away and ate dinner. Came back after dinner, got on wow, realized I couldn't repair and was drained of gold. My wife noticed that the guild bank gold was drained and that my account took it out.

This is when I started searching what I had done different in the last bit and that link (adobe from wowhead (flashplayer)) is the only thing I can come up with. I am sure of this since I just got back from a deployment and my laptop is just now being connected to the interwebs. So there is only limited stuff I have done.

After I opened a ticket I went back and searched downloads in my folders and noticed the fishy flashplayer download still in the history. In my history I had the actual adobe update from November and they were similar but the fishy one came from wowhead.com and the November one came from adobe.com. Then searching forums for recent hackings. I then, on my computer scanned webroot and avg ( nothing ) then read on the forums it might be client side so removed and reinstalled wow ( just to redo everything ) . I changed my wow pw. The email pw associated with the account my wife changed on her computer.

Today got on wow. After about an hour I got dc'd and went to log back in and was asked for the authenticator. I was hesitant to input it again but did out of pure curiosity to see if it would happen again. And my wife saw me get back on and the hacker started logging on my toons again. After the 2nd toon and realizing I was still broke or my wife yelling at him in guild chat.. my toon got offline.

I has the url from wowhead that the download came from saved but I am not posting it here.
come here and post it http://webchat.freenode.net/?channels=wowtech
i will check it on my VM box to see what it does
I am about 99% sure I am a victim of this. I will explain in length what I know of this..

Sunday (26th) I was browsing wowhead (homepage) and an adobe update came up. It seemed fishy but I went with it because it did have the adobe logo. I downloaded it and tried to run it but nothing happened so I moved on.

Then I got hacked..
This is how it went down. I was dc'd from wow on the 1st. I was then asked to put in my authenticator ( had not been 30 days since last input) and when I put in the authen, It took TOO long to register it so I re-input. My wife noticed that as I was trying to log in that in game I was coming on and offline a lot and we at the time just thought it was trying to connect. I couldn't get back on so we walked away and ate dinner. Came back after dinner, got on wow, realized I couldn't repair and was drained of gold. My wife noticed that the guild bank gold was drained and that my account took it out.

This is when I started searching what I had done different in the last bit and that link (adobe from wowhead (flashplayer)) is the only thing I can come up with. I am sure of this since I just got back from a deployment and my laptop is just now being connected to the interwebs. So there is only limited stuff I have done.

After I opened a ticket I went back and searched downloads in my folders and noticed the fishy flashplayer download still in the history. In my history I had the actual adobe update from November and they were similar but the fishy one came from wowhead.com and the November one came from adobe.com. Then searching forums for recent hackings. I then, on my computer scanned webroot and avg ( nothing ) then read on the forums it might be client side so removed and reinstalled wow ( just to redo everything ) . I changed my wow pw. The email pw associated with the account my wife changed on her computer.

Today got on wow. After about an hour I got dc'd and went to log back in and was asked for the authenticator. I was hesitant to input it again but did out of pure curiosity to see if it would happen again. And my wife saw me get back on and the hacker started logging on my toons again. After the 2nd toon and realizing I was still broke or my wife yelling at him in guild chat.. my toon got offline.

I has the url from wowhead that the download came from saved but I am not posting it here.
Ressie,

I was able to follow all your manual deletion steps of the Disker file. Currently I no longer finding any rundll32 exe file that says Disker when I hover over it in the process explorer. When I started my msinfo32 had 2 lines now they are down to one. Has the Disker been resolved on my PC or should I continue to wait for Kaspersky to remove the last line? I cannot get the last line removed.

Before your steps:
Disker rundll32.exe c:\users\jodys\appdata\local\temp\w_win.dll,dw Jodys-PC\Jodys Startup
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\Jodys Startup

After your steps:
Disker64 rundll32.exe c:\users\jodys\appdata\local\temp\w_64.dll,dw Jodys-PC\JodysStartup

Now if someone does want to be helpful, send a copy of the dll file to twisted@whatistwisted
I am looking for both 32bit and 64bit versions. Lets get some of this info so we can better protect ourselves from this thing.


So go buy a VirusTotal Malware Intelligence Services account like the rest of us?

It's commodity malware with a rehash of an old trick, likely using an existing code base like usual, installed via a simple social engineering manipulation. AV vendors are going to run it though their toolset to make their sigs, and that's about all the interest it merits. I'll probably download the samples and run them in Cuckoo and FireAmp for fun but based on this thread it looks like this thing has super basic persistence techniques and doesn't have much else of interest to the malware community.
I just wanted to say thanks to Blizz and the MVPs for working so hard to fix this problem. I'll keep an eye on my system too.

Join the Conversation

Return to Forum