*Compromised accounts* Potential Trojan

(Locked)

Support Forum Agent
Hello,

Update: With the help of our awesome MVPs, we've identified the source and a method to remove this Trojan. Please check this update for the full information.

-------------------------------------------------------------------------------------
We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup


We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.

  • Your MSInfo.
  • A list of any addons you recently installed along with where you got them.
  • A list of any programs you recently installed along with where you got them.
  • Any security programs you have run and their results.
  • ______________________________
    Monday - Friday, 8am - 5pm Pacific Time
    Rate me! Click here!
    Edited by Jurannok on 1/3/2014 10:25 AM PST
    90 Draenei Shaman
    10150
    01/02/2014 10:21 AMPosted by Jurannok
    even if they are using an authenticator for protection.


    Does this apply to both mobile and key fob authenticators?
    Support Forum Agent
    Does this apply to both mobile and key fob authenticators?


    Yes.
    90 Night Elf Druid
    12980
    It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64".

    Can the Trojan be seen before you are compromised by doing this? Would it be worthwhile to check before logging into the game again?

    Also, to your knowledge can they use the authentication from forum login to log into the game or account management, or is that separate?
    Edited by Hippeaux on 1/2/2014 11:32 AM PST
    Support Forum Agent
    Can the Trojan be seen before you are compromised by doing this?


    Unfortunately we've not yet seen a way to spot the Trojan until after it goes active. We've also not found a security program that can see it or remove it.

    Also, to your knowledge can they use the authentication from forum login to log into the game or account management, or is that separate?


    We're not positive, although if I had to guess I'd say the game login.
    90 Dwarf Hunter
    8175
    Does this affect Macintosh?
    MVP - Technical Support
    90 Human Priest
    12965
    Jurannok: I sent Vrak an email, regarding this. We'd like to help. :)
    90 Blood Elf Rogue
    10660
    is this PC specific or are MAC users in danger too?
    Support Forum Agent
    Trogger,

    The "Disker" Trojan would not run on a Macintosh. We haven't received an reports of a Trojan like this for Macintosh systems.
    90 Blood Elf Death Knight
    8330
    I use the Desktop App to log-in, i'm always logged, i'm safe?
    1 Pandaren Mage
    0
    We need this posted on EU for us Europeans.... :)
    MVP - Technical Support
    90 Human Priest
    12965
    I use the Desktop App to log-in, i'm always logged, i'm safe?


    I would assume you're safe until it asks for your authenticator code.

    At which point I'd check msinfo to see if those are running. If not, it should be safe to input the authenticator code.
    Edited by Ressie on 1/2/2014 1:31 PM PST
    90 Blood Elf Paladin
    11360
    Any idea how players are being infected with these trojans? Just clicking bad links or are ads on sites like MMO-Champ infecting people?
    90 Blood Elf Death Knight
    8330
    Thank You for answer, i've checked and nothing of "Disker" or "Disker 64" in my PC, i'll verify again when i need to put the authenticator, ty again =D
    90 Blood Elf Warlock
    18130
    Hi, thank you for the information regarding these trojans.

    For anyone who has been known to be infected, have you been able to isolate components of the Trojan and submit to a site like virustotal for analysis? I'm curious as to what preliminary detections find and detect it as. Also please submit the samples directly to various AV vendors so they can begin to roll out definitions that detect and remove the Trojan.

    I'm bookmarking this thread because I am very interested in where this is coming from, how it's finding its way onto systems (phishing, misrepresented download, browser/java exploit, etc).
    Edited by Starien on 1/2/2014 1:42 PM PST
    90 Orc Warrior
    11025
    Know you said you have not found a way to remove it yet expect a complete system reformat. In the meantime maybe it is possible to find a way to keep it from transmiting data that would compromise accounts?

    Ie blocking the port that it might use for that.
    90 Draenei Paladin
    0
    Blizz, make sure you send knowledge of this to all antivirus and antispyware vendors. This is huge.
    90 Pandaren Priest
    12475
    Can we expect to see this mirror posted to the EU Tech Support forums?
    90 Blood Elf Hunter
    15080
    Since Christmas, I have seen few players complaining about this on the CS forum. One thing most of them had in common was they were playing on, new computers or had recently added new upgrades/peripherals.

    I remember that a few years ago some digital picture frames from China, came loaded with malware designed to infect any computers, they get hooked up to. The malware was designed harvest online game account information. I wonder if this might a similar thing, with these "New" Computers/devices.
    MVP - Technical Support
    90 Human Priest
    12965
    Blizz, make sure you send knowledge of this to all antivirus and antispyware vendors. This is huge.


    For that, you need to isolate the infection, and upload it.. They're looking for additional infected users who are willing to take the time to go through steps with them so they can do that.
    This topic is locked.

    Please report any Code of Conduct violations, including:

    Threats of violence. We take these seriously and will alert the proper authorities.

    Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

    Harassing or discriminatory language. This will not be tolerated.

    Forums Code of Conduct

    Report Post # written by

    Reason
    Explain (256 characters max)
    Submit Cancel

    Reported!

    [Close]