*Compromised accounts* Potential Trojan

Technical Support
1 2 3 17 Next
Hello,

Update: With the help of our awesome MVPs, we've identified the source and a method to remove this Trojan. Please check this update for the full information.

-------------------------------------------------------------------------------------
We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup


We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.

  • Your MSInfo.
  • A list of any addons you recently installed along with where you got them.
  • A list of any programs you recently installed along with where you got them.
  • Any security programs you have run and their results.
  • ______________________________
    Monday - Friday, 8am - 5pm Pacific Time
    Rate me! Click here!
    01/02/2014 10:21 AMPosted by Jurannok
    even if they are using an authenticator for protection.


    Does this apply to both mobile and key fob authenticators?
    Does this apply to both mobile and key fob authenticators?


    Yes.
    It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64".

    Can the Trojan be seen before you are compromised by doing this? Would it be worthwhile to check before logging into the game again?

    Also, to your knowledge can they use the authentication from forum login to log into the game or account management, or is that separate?
    Can the Trojan be seen before you are compromised by doing this?


    Unfortunately we've not yet seen a way to spot the Trojan until after it goes active. We've also not found a security program that can see it or remove it.

    Also, to your knowledge can they use the authentication from forum login to log into the game or account management, or is that separate?


    We're not positive, although if I had to guess I'd say the game login.
    Does this affect Macintosh?
    Jurannok: I sent Vrak an email, regarding this. We'd like to help. :)
    is this PC specific or are MAC users in danger too?
    Trogger,

    The "Disker" Trojan would not run on a Macintosh. We haven't received an reports of a Trojan like this for Macintosh systems.
    I use the Desktop App to log-in, i'm always logged, i'm safe?
    We need this posted on EU for us Europeans.... :)
    I use the Desktop App to log-in, i'm always logged, i'm safe?


    I would assume you're safe until it asks for your authenticator code.

    At which point I'd check msinfo to see if those are running. If not, it should be safe to input the authenticator code.
    Any idea how players are being infected with these trojans? Just clicking bad links or are ads on sites like MMO-Champ infecting people?
    Thank You for answer, i've checked and nothing of "Disker" or "Disker 64" in my PC, i'll verify again when i need to put the authenticator, ty again =D
    Hi, thank you for the information regarding these trojans.

    For anyone who has been known to be infected, have you been able to isolate components of the Trojan and submit to a site like virustotal for analysis? I'm curious as to what preliminary detections find and detect it as. Also please submit the samples directly to various AV vendors so they can begin to roll out definitions that detect and remove the Trojan.

    I'm bookmarking this thread because I am very interested in where this is coming from, how it's finding its way onto systems (phishing, misrepresented download, browser/java exploit, etc).
    Know you said you have not found a way to remove it yet expect a complete system reformat. In the meantime maybe it is possible to find a way to keep it from transmiting data that would compromise accounts?

    Ie blocking the port that it might use for that.
    Blizz, make sure you send knowledge of this to all antivirus and antispyware vendors. This is huge.
    Can we expect to see this mirror posted to the EU Tech Support forums?
    Since Christmas, I have seen few players complaining about this on the CS forum. One thing most of them had in common was they were playing on, new computers or had recently added new upgrades/peripherals.

    I remember that a few years ago some digital picture frames from China, came loaded with malware designed to infect any computers, they get hooked up to. The malware was designed harvest online game account information. I wonder if this might a similar thing, with these "New" Computers/devices.
    Blizz, make sure you send knowledge of this to all antivirus and antispyware vendors. This is huge.


    For that, you need to isolate the infection, and upload it.. They're looking for additional infected users who are willing to take the time to go through steps with them so they can do that.

    Join the Conversation

    Return to Forum