*Compromised accounts* Potential Trojan

(Locked)

MVP - Technical Support
90 Blood Elf Hunter
17510
01/02/2014 06:48 PMPosted by Ectophob
Sry, but can't see any connection between this link and the Disker-Malware...


Look at some of the files listed:

C:\DOCUME~1\User\LOCALS~1\Temp\w_win.dll
C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\setups.exe
C:\DOCUME~1\User\LOCALS~1\Temp\w_win.dll.123.Manifest


These files are consistent with what we're seeing on an infected system in #wowtech. Ressy's manually extracting the malware on a system right now, and we should have a sample ready to submit to anti-malware scanners (i.e. Malwarebytes) momentarily.
85 Blood Elf Hunter
1510
sorry about that my bad
90 Draenei Mage
11490
Do you have any details on the Wowhead blocked intrusions?

Unfortunately, no. As I mentioned, my AV doesn't archive that far back. I visit Wowhead frequently and, if memory serves, had visited multiple pages on Wowhead during that session before receiving the high-risk intrusion attempt "blocked" warning.
90 Blood Elf Priest
13195
01/02/2014 07:04 PMPosted by Sufia
Do you have any details on the Wowhead blocked intrusions?

Unfortunately, no. As I mentioned, my AV doesn't archive that far back. I visit Wowhead frequently and, if memory serves, had visited multiple pages on Wowhead during that session before receiving the high-risk intrusion attempt "blocked" warning.


Do you use ad blocks/script blockers?
90 Draenei Mage
11490
Do you use ad blocks/script blockers?

Nope. I know, I should. But nope.
90 Blood Elf Priest
13195
01/02/2014 07:31 PMPosted by Sufia
Do you use ad blocks/script blockers?

Nope. I know, I should. But nope.


Alright, well it's possible it came from ads on wowhead then.

Something for the techy people to check into.
MVP - Technical Support
90 Blood Elf Hunter
17510
Good news: Malware samples have been obtained and they're being shared with anti-malware scanners. Ressie is also in the process of writing a guide for efficient removal until these are in antivirus databases, so keep your eyes peeled.

Big thanks to Ressie for finding, extracting, and curing the malware, and Cymbol for providing her with the original system to work with! Stay tuned for updates - things should be looking up very soon.
Edited by Kodiack on 1/2/2014 7:34 PM PST
90 Blood Elf Priest
13195
Good news: Malware samples have been obtained and they're being shared with anti-malware scanners. Ressie is also in the process of writing a guide for efficient removal until these are in antivirus databases, so keep your eyes peeled.

Big thanks to Ressie for finding, extracting, and curing the malware, and Cymbol for providing her with the original system to work with! Stay tuned for updates - things should be looking up very soon.


Hooray. Do we know where it came from yet?
90 Blood Elf Mage
7190
RESSIE THANK YOU SOOOO MUCH!!

I hope you were able to gain information that will surely help others with this issue.
I can't express my gratitude full enough- <3 You ROCK!

Kiddos to you and a mighty bow!
MVP - Technical Support
90 Blood Elf Hunter
17510
01/02/2014 07:39 PMPosted by Holykitty
Hooray. Do we know where it came from yet?


It sounds like it's from an illegitimate Curse Client. The official, supported Curse Client WILL NOT infect your system.

There's still no guarantee that this is the case, but so far it's what everything is pointing to. It would make sense as well because the malware specifically targets World of Warcraft.
MVP - Technical Support
100 Human Priest
13375
Cymbol has been very patient, and let me remote into her system to have a look around to attempt to find what installed this. Its looking like a FAKE Curse Client - ie if you searched for Curse Client via major search sites, you might have clicked an ad instead of the actual curse client page.

I got a copy of it, which Blizzard & their Warden team have. Submitted to Malwarebytes, Avast, MSE, Kaspersky, Mcafee, Avast, SuperAntiSpyware, TrendMicro.

Lots of antiviruses are now scanning for it: https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388714816/

And Cymbol's system has been cleaned!

Removal Instructions:
  • Download AutoRuns:
    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
    Run Autoruns.exe
    Find Disker & Disker64 in the list. Uncheck the boxes on the left for each line, then right click each, and select "Delete".
  • Download ProcessExplorer:
    http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
    Run procexp.exe
    Under explorer.exe, you should see a rundll32.exe under it. There may be several, so find the one that when you hover over it, the popup text says "Disker" and/or "Disker64". Right-click the rundll32.exe, and select "Kill Process", and click OK.
  • Download SuperAntiSpyware:
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
    Uncheck both options in the bottom left, and click Express.
    After it installs, close it.
    Navigate to the
    c:\users\name\appdata\local\temp\

    folder, where "name" is your username.
    Right click w_win.dll, and select "SUPERDelete File Removal". It'll bring you to a screen askign if you REALLY want to delete the file, and to type YES. Type YES.
    Do the same for w_64.dll.
  • Reboot normally and it should be gone.
    Uninstall SuperAntiSpyware, and delete processexplorer & autoruns.

________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
Edited by Ressie on 1/3/2014 1:09 PM PST
100 Night Elf Druid
13590
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?
90 Human Paladin
LA
11235
Would you, by chance, be submitting to Webroot?
MVP - Technical Support
90 Blood Elf Hunter
17510
01/02/2014 07:48 PMPosted by Hippeaux
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?


Not long at all. I wouldn't be surprised if they were reliably detecting them in the next 24 hours or so.
100 Human Warrior
13350
So I went off and programmed me an Authenticator that works as an executable for Windows XP/ME/7, and it's based off the Mobile app for Android/iPhone.

When you say it grabs it from the input box, do you mean it does it via keystrokes, or from screencapture?

The reason why I ask this is that I copy/paste my authenticator into my input box when I'm prompted for one.

I just want to know if I'm safe or not from this trojan.

If for whatever reason Blizzard would like a copy of my Authenticator program for inspection, or whatnot, they can feel free to email me through my account associated with my Battle.net account.
90 Blood Elf Mage
7190
Thanks Ressy. It was a pleasure to help in anyway that I could.

Much thanks to the whole team actually. You are very much appreciated!!

I wish success for all those who were infected and I will contact Blizzard about my losses. <3

BIG HUGS to all. :)
90 Blood Elf Priest
13195
Great job guys. :) I haven't been infected but wanted to have an idea where it came from before closing this browser window. Haha.

Thanks Ressie for finding and isolating the issue, as well as fixing it. And thanks to Cymbol for letting her. :)
55 Gnome Death Knight
0
I've been keeping an eye on this, even though I'm not infected (I believe, I'll probably be going through the steps Ressie gave just to soothe my mind), and I have to say, I am impressed. Very good job.
90 Human Rogue
17170
Strong work folks. I'm going to keep this thread to point people to who think that Curse is doing a bad job.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]