*Compromised accounts* Potential Trojan

(Locked)

90 Night Elf Rogue
10715
Does this affect people using the "Battle.Net Launcher"? provided that you dont have to type in your password or authenticator.


01/02/2014 01:30 PMPosted by Ressie
I use the Desktop App to log-in, i'm always logged, i'm safe?


I would assume you're safe until it asks for your authenticator code.

At which point I'd check msinfo to see if those are running. If not, it should be safe to input the authenticator code.


So, the way it works is to intercept your auth token? Also, is it traditionally pulling account info from non-authenticator accounts as well?

T.I.A.
90 Night Elf Rogue
18770
01/02/2014 02:55 PMPosted by Scrappý
Could be a hidden malware inside one of the addons through curse client is what I think he was getting at.


^This. I always verify the program is legit, just wasn't sure if you guys think this is possibly from an addon of some form or not. Most of the addons I use are all common-use ones (DBM, Skada, etc), so I doubt I'd get something like that from it anyways (despite friends swearing at me to uninstall Curse because 'they've had compromise issues repeatedly since Wrath' - I haven't had issues with it since I started using it years ago, so meh).

Anywho. Hubby's comp came up clean, no news is good news. Hope this crap hasn't hit too many people :<.
90 Blood Elf Hunter
15265
Dominitari Is your Husband using a new computers, or has he added any new peripherals, Flash drives, M3P, etc... New devices have been know to carry maiware.
MVP - Technical Support
90 Human Priest
12965
01/02/2014 03:05 PMPosted by Dominitari
Could be a hidden malware inside one of the addons through curse client is what I think he was getting at.


^This. I always verify the program is legit, just wasn't sure if you guys think this is possibly from an addon of some form or not. Most of the addons I use are all common-use ones (DBM, Skada, etc), so I doubt I'd get something like that from it anyways (despite friends swearing at me to uninstall Curse because 'they've had compromise issues repeatedly since Wrath' - I haven't had issues with it since I started using it years ago, so meh).

Anywho. Hubby's comp came up clean, no news is good news. Hope this crap hasn't hit too many people :<.


This has actually happened before (addon being infected with malware). Auctionator was infected back in January 2013 with malware. An addon author had their account hacked, and a bad copy was uploaded to both Curse & WowInterface.

The thing is, there's no way for either wow or Curse Client to execute any of that malware downloaded on the system. You had to manually go to the folder, and start opening files to get it to execute and start running. Which people rarely do.
It was actually quite easy to deal with that infection provided you hadn't manually run it. Delete the addon (or update it), and you're done.

As for those stating this was from Curse Client itself:
I reinstalled Curse Client over the weekend due to removing a bunch of .NET stuff from my system without remembering Curse requires some of that, and reinstalled it from an up to date link on their site. I have no Disker appearing.

It is NOT from the valid/genuine Curse Client.
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
90 Draenei Shaman
18835
I had this virus get introduced recently (I think). Fortunately, if there can be a fortunately here, there was very little happening on my system at the time -- it was getting hardware maintenance performed. The specific hardware maintenance being performed was a replacement video card, from an AMD card to an NVidia card. In the process of downloading the appropriate drivers, the technician also installed a non-Dell and non-NVidia utility called "Display Driver Uninstaller." My virus catching program does not detect it on that file -- or any other file, for that matter. But since that's the only thing that I recently installed, and since the problem appeared right after I did that, and I didn't really use the system for anything else at the time, that's my personal top suspect.

I can send my MSinfo file in -- it seems a bit large to be included as part of a post -- and I would be happy to help track down the details if I can, as this has caused me and my guild a lot of grief.
90 Worgen Priest
7440
Does this affect people who dont use addons? or only people that do? I am bit confused because I use my authenticator.
90 Human Hunter
2535
I would recommend using Cryptoprevent to lock the appdata folder

http://www.fooli!@#$.com/vb6-projects/cryptoprevent/
90 Worgen Priest
7440
I was just wondering because i dont use addons.
MVP - Technical Support
90 Human Priest
12965
I was just wondering because i dont use addons.


This doesn't look to be addon-related. It does however affect those with authenticators if you have the keylogger.
55 Gnome Death Knight
0
Thanks for mentioning this. Always scary (for me anyway), malware like this.

I did the MSInfo thing a few times and didn't find it, so I can assume I'm in the clear, right? (Did it without loading up the battle.net app, did it with it up and asking for the authenticator) Or reasonably in the clear, anyway.

Hope it can get squashed soon!
90 Human Warrior
9895
Just had a battle.net launcher update. Does this pertain to the Trojan situation?
Support Forum Agent
Does this affect people who dont use addons? or only people that do? I am bit confused because I use my authenticator.


While this is not conclusive, every occurence I've examined has been a new or recently reformatted system that was hit shortly after downloading addons. There have been no other hardware or software commonalities that can be seen in an MSInfo. Due to these observations, something related to addons or the aquiring of addons leads our suspect list. Again though, not conclusive.

Also, I just received a report that an updated Malwarebytes might have removed the infection, but this is unconfirmed. We're trying to get removal logs from the player to examine.
90 Blood Elf Mage
7140
We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.


Your MSInfo.

A list of any addons you recently installed along with where you got them.
A list of any programs you recently installed along with where you got them.
Any security programs you have run and their results.

I found Disker64 in my system.

The addons that I have installed are : TRP2 ( Total Role Play 2), GHI ( Gryphon Heart Items), Atlas loot, Battle Pet Quality Notifier, Battle Pets Collector, Deadly Boss Mods, Elephant, Pet Battle Teams, and WIM ( Window Instant Messenger).

ALL of these were downloaded from Curse Game client. I have never had issues with this kind of viscous activity before. I enjoy these addons for Role play.

I have noticed that since removing the actual Cursed Client downloader/startup AND marked my authenticator to ask for my code every single time..I have not been hit.~ YET.

I was hacked Xmas morning and thought I had made my system secure, I removed Cursed Client Downloader-- and redid all my pass words and made my License secure--or so I had thought. Until I was hacked again.. and I was too afraid to return to Blizzard and confess that I had been hacked again. I thought it was me.

Now I have to reformat... I wish Blizzard offered more opportunities such as what these addons offers so I wouldn't have to use them from out side sources. But I am thankful that Blizzard found out what was going on and even though I am a bad girl for using outside agents addons.. I appreciate Blizzard reaching out to rescue our dignities and accounts. <3

The programs I have run are : Avast anti-virus, Jet Clean (registry cleaner), Maleware bytes, and anti-spyware.
MVP - Technical Support
90 Human Priest
12965
Cymbol: Don't reformat just yet.

Come into channel with me & a few other MVPs.. We'd like to try to help you get that off your system without reformating.

URL: http://webchat.freenode.net/?channels=wowtech
Edited by Ressie on 1/2/2014 4:06 PM PST
90 Goblin Rogue
12460
01/02/2014 03:59 PMPosted by Kaltonis
Does this affect people who dont use addons? or only people that do? I am bit confused because I use my authenticator.


While this is not conclusive, every occurence I've examined has been a new or recently reformatted system that was hit shortly after downloading addons. There have been no other hardware or software commonalities that can be seen in an MSInfo. Due to these observations, something related to addons or the aquiring of addons leads our suspect list. Again though, not conclusive.

Also, I just received a report that an updated Malwarebytes might have removed the infection, but this is unconfirmed. We're trying to get removal logs from the player to examine.


Might want to check into the website wowhead as a possible source as well. I received multiple attempted redirects when accessing their site yesterday
90 Tauren Paladin
12740
If I 'Ctlr F' and typed in Disker would it show up in the MSInfo? Cause I have a hard time finding it with all this huge long text file

I found the .exe program but it's under a different name. Is it still the Trojan?

THXCfg64 c:\windows\system32\rundll32.exe c:\windows\system32\thxcfg64.dll,rundllentry thxcfg64 Public HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Edited by Popeward on 1/2/2014 4:31 PM PST
MVP - Technical Support
90 Human Priest
12965
If I 'Ctlr F' and typed in Disker would it show up in the MSInfo? Cause I have a hard time finding it with all this huge long text file


You should be able to find it like this:
https://dl.dropboxusercontent.com/u/9038867/WoW/MSInfo32%20Startup%20Programs.png
________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
90 Tauren Paladin
12740
Thanks, I edited my original post about me finding a similar rundll32.exe but it's under a different name. Thoughts?
90 Draenei Mage
11475
Ran MSInfo and I appear to be clean of Disker. However, on the off-chance this may be even the least bit helpful...

At some time during the last 4-6 weeks my AV program reported prevention of a high-risk intrusion attempt while viewing a Wowhead page. I looked to see if I could dig up details on this but apparently this particular AV program (which I'm reluctant to name publicly) doesn't store data that long. On 12/31, I did find a disturbing record of 41 separate medium-risk blocked attempts for unauthorized access, almost all of them consecutive. From my recollection, these occurred during a time when I was playing WoW.

The only addons I've been running since 12/23 are: Altoholic (with DataStore) and TitanPanel, both downloaded and installed using Curse client.
90 Human Warrior
12065
01/02/2014 01:30 PMPosted by Ressie
I use the Desktop App to log-in, i'm always logged, i'm safe?


I would assume you're safe until it asks for your authenticator code.

At which point I'd check msinfo to see if those are running. If not, it should be safe to input the authenticator code.


Incorrect I would guess personally, since the Desktop App sends your data to the wow servers when you log in to that game specifically if I'm not mistaken.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]