New(ish) man-in-the-middle trojan - HIMYM.dll

Technical Support
I just fell victim to a man-in-the-middle attack on my account (which has an authenticator on it). I was able to recognize the signs quickly enough to change my password from an uncompromised computer and log in from there to kick the baddies off with minimal damage. However, the last ~12 hours have had me trying to figure out where it was so I could clean my system without formatting. I found lots of information about emcor.dll, but this wasn't present on my system. What I found on my computer was "HIMYM.dll." (I guess how he met their mother was his account got hacked and he found time to have a social life)

You will find it in your registry at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\" although I have also seen reports of it appearing in "HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\MSConfig\startupreg".

The key is called "Disker" and its Data string is: rundll32.exe C:\Users\<Your username>\AppData\Local\Temp\HIMYM.DLL,DW

It shows up in the task manager as "rundll32.exe," so it looks innocuous. Note that there are many legitimate reasons why this process can show up in your task manager and the presence of rundll32.exe in your process list does NOT indicate you have been compromised.

Going to the location indicated in this registry key, you will find HIMYM.dll. To remove it, first delete any registry key you found (search the registry for HIMYM.dll to be safe and certain it's not anywhere else) then end any rundll32.exe tasks you might find in your task manager, then delete the actual file. Restart your computer (you may be forced to do so as ending rundll32 can make things stop working or make your computer angry depending on what you run).

For me, the file HIMYM.dll has the following information:
File Description: Cedyusd6y Acfieyerti ICD
Company: Hcnydtri Cjeuqwof
File Version: 4.0.8.0
Date Created: 18/03/2012 6:21 AM
Size: 108 KB

MSE did not detect this file. It seems invisible to many other scanners as well--Virscan.org ran it through 36 different scanners, and more than half did not see anything suspicious about it. You can see which ones detected it and which did not here: http://i.imgur.com/37fzE.png

I don't go to sketchy sites. I use Firefox with the most up-to-date version of adblock and noscript. I wasn't even using my computer at 6:21 AM on Sunday, so I expect it was a vulnerability in uTorrent 3.1.2.

What happens if you have this file on your system? The next time you log in to WoW, you will be prompted for your authenticator code. You'll be sure you put it in correctly, but it will tell you it's wrong. It wasn't. What happened is the trojan took what you put in, sent the real code to an unauthorized party, and sent a false code to Blizzard to cause them to send the "you entered incorrect information" code back at you. As soon as it tells you your information was entered incorrectly, you have been compromised; the process is automated and VERY fast.

The earliest mention of HIMYM.dll I can find on google is in January of this year. It might be worth spreading this information so people who have fallen victim to this attack but can't find emcor.dll can figure out what else might be lurking on their system.
Hey Shannon.

Come visit me in channel please?
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
There is one big hole in your whole post.

The code you enter is good for about 1 minute tops.

If there is no one to take that code and use it immediately the code is useless and you need statistically 100 codes in sequence to actually break the algorithm. Since it is a 100 million number code. It may be 1000. Been so long since we did the math so to speak when I worked at Ford.

So either they immediately log in or they cant get in.

BTW I type about once every 10 logins just on my password. So typos entering the code are quite possibly.
The point is not to login immediately. The point is to convince unwary players to remove a seemingly malfunctioning authenticator from their account - and it's been quite successful at that.

As soon as the player does so, THEN they login and take over the account.
THANK YOU!

I was getting the authenticator problem and *FIVE* different virus scanners could not find this trojan. Didn't want to deal with a system reset so I took the authenticator off. How I haven't been hacked in the meantime is beyond me, but I just nuked this bugger and I'll put my authenticator back on immediately.

Not sure why this signature hasn't been added to the databases, seems pretty easy to detect.
none of the software I used detected it, I manually removed it
i am having this issue as well but i am unable to remove this i do not no why and norton will not take it off
There are many ways to protect your computer one way is to using https instead of http which request's a secure connection from the website ur visting though this doesnt work with all websites it does help a lot. when ur surfing the internet. Also i recomend Bitdefender as an antivirus. its a great software and has a lot of features that will help your comp stay secure. even checks your facebook for hackers. Also consider getting a router and enabling a firewall windows firewall and the routers will help a lot. Also consider hiding your ip address. which is an easy process, changing it every couple of months will help too. make sure your ip is changeable too your isp can tell you if your ip is dynamic or static. also a good thing to do is to hotkey a close all connections butten its a great oh crap button. and will give u time to kill any connection that a hacker might already have.... also while im here make sure to disable remote connection cause if its enabled it can be forced. Changing your password every 2 weeks for wow also helps a lot.

btw Bitdefender did detect it on my system. I injected HIMYM.dll manually. and it got blocked and deleted.
04/18/2012 09:56 PMPosted by Sallivan
i am having this issue as well but i am unable to remove this i do not no why and norton will not take it off


i wouldnt reccomend norton Bitdefender is a good program. i would use that. or if your broke avg should be sufficient not sure if it will work for HIMYM.dll though
i cannot seem to find anything in my registry keys but it will still now alow me to remove it
okay now it is removed thank you for the help i am still runing some scans make sure it is all off this has helped me alot he hit my account 2 dif times got rid of all my gear hope this fixes it :)
THANK YOU SO MUCH!!! I was wondering why my login process takes forever to process, it turns out the trojan sends out my password to an unknown entity while my wow client freezes for about 40 seconds. I've successfully removed the trojan by following the steps you specified above and my login process just proceed as usual now without the frozen client part.

Thanks again!!!!!!!!!!!
trying to log into starcraft 2 and it says my login in info is incorrect, but its not.. im able to log into diablo 3 and wow because it doesnt prompt for my auth code. meaning my code was invalid trying to resync it just tells me sync was unsuccessful, i then tried to remove my auth, but even then still says my code is incorrect. im unable to find any trace of these files youve described but are getting the same symptoms. is there a dummy fix im overlooking or should i be worried. i also have put money into the auction house for diablo 3, not linking my personal card, but a gift one. any more insight on this would be greatly praised.
Jhericurl - this fits more over on the Customer Service forum. You should make your own post over there. The support forums like folk to make their own posts. This is the fix my computer forum and I think the GM's might be gone for the day.

Join the Conversation

Return to Forum