*Compromised accounts* Potential Trojan

Technical Support
Prev 1 4 5 6 17 Next
01/02/2014 06:48 PMPosted by Ectophob
Sry, but can't see any connection between this link and the Disker-Malware...


Look at some of the files listed:

C:\DOCUME~1\User\LOCALS~1\Temp\w_win.dll
C:\DOCUME~1\User\LOCALS~1\Temp\IXP000.TMP\setups.exe
C:\DOCUME~1\User\LOCALS~1\Temp\w_win.dll.123.Manifest


These files are consistent with what we're seeing on an infected system in #wowtech. Ressy's manually extracting the malware on a system right now, and we should have a sample ready to submit to anti-malware scanners (i.e. Malwarebytes) momentarily.
sorry about that my bad
Do you have any details on the Wowhead blocked intrusions?

Unfortunately, no. As I mentioned, my AV doesn't archive that far back. I visit Wowhead frequently and, if memory serves, had visited multiple pages on Wowhead during that session before receiving the high-risk intrusion attempt "blocked" warning.
01/02/2014 07:04 PMPosted by Sufia
Do you have any details on the Wowhead blocked intrusions?

Unfortunately, no. As I mentioned, my AV doesn't archive that far back. I visit Wowhead frequently and, if memory serves, had visited multiple pages on Wowhead during that session before receiving the high-risk intrusion attempt "blocked" warning.


Do you use ad blocks/script blockers?
Do you use ad blocks/script blockers?

Nope. I know, I should. But nope.
01/02/2014 07:31 PMPosted by Sufia
Do you use ad blocks/script blockers?

Nope. I know, I should. But nope.


Alright, well it's possible it came from ads on wowhead then.

Something for the techy people to check into.
Good news: Malware samples have been obtained and they're being shared with anti-malware scanners. Ressie is also in the process of writing a guide for efficient removal until these are in antivirus databases, so keep your eyes peeled.

Big thanks to Ressie for finding, extracting, and curing the malware, and Cymbol for providing her with the original system to work with! Stay tuned for updates - things should be looking up very soon.
Good news: Malware samples have been obtained and they're being shared with anti-malware scanners. Ressie is also in the process of writing a guide for efficient removal until these are in antivirus databases, so keep your eyes peeled.

Big thanks to Ressie for finding, extracting, and curing the malware, and Cymbol for providing her with the original system to work with! Stay tuned for updates - things should be looking up very soon.


Hooray. Do we know where it came from yet?
RESSIE THANK YOU SOOOO MUCH!!

I hope you were able to gain information that will surely help others with this issue.
I can't express my gratitude full enough- <3 You ROCK!

Kiddos to you and a mighty bow!
01/02/2014 07:39 PMPosted by Holykitty
Hooray. Do we know where it came from yet?


It sounds like it's from an illegitimate Curse Client. The official, supported Curse Client WILL NOT infect your system.

There's still no guarantee that this is the case, but so far it's what everything is pointing to. It would make sense as well because the malware specifically targets World of Warcraft.
Cymbol has been very patient, and let me remote into her system to have a look around to attempt to find what installed this. Its looking like a FAKE Curse Client - ie if you searched for Curse Client via major search sites, you might have clicked an ad instead of the actual curse client page.

I got a copy of it, which Blizzard & their Warden team have. Submitted to Malwarebytes, Avast, MSE, Kaspersky, Mcafee, Avast, SuperAntiSpyware, TrendMicro.

Lots of antiviruses are now scanning for it: https://www.virustotal.com/en/file/850dc3ebb2437edaf3352eee79ee704cdb881779684c2128f1f07d8dd79c0344/analysis/1388714816/

And Cymbol's system has been cleaned!

Removal Instructions:
  • Download AutoRuns:
    http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
    Run Autoruns.exe
    Find Disker & Disker64 in the list. Uncheck the boxes on the left for each line, then right click each, and select "Delete".
  • Download ProcessExplorer:
    http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
    Run procexp.exe
    Under explorer.exe, you should see a rundll32.exe under it. There may be several, so find the one that when you hover over it, the popup text says "Disker" and/or "Disker64". Right-click the rundll32.exe, and select "Kill Process", and click OK.
  • Download SuperAntiSpyware:
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
    Uncheck both options in the bottom left, and click Express.
    After it installs, close it.
    Navigate to the
    c:\users\name\appdata\local\temp\

    folder, where "name" is your username.
    Right click w_win.dll, and select "SUPERDelete File Removal". It'll bring you to a screen askign if you REALLY want to delete the file, and to type YES. Type YES.
    Do the same for w_64.dll.
  • Reboot normally and it should be gone.
    Uninstall SuperAntiSpyware, and delete processexplorer & autoruns.

________________________________________________
Technical Support MVP
For un-official live support, http://webchat.freenode.net/?channels=wowtech
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?
Would you, by chance, be submitting to Webroot?
01/02/2014 07:48 PMPosted by Hippeaux
Awesome news! How long does it usually take for Malwarebytes and other scanners to update to detect and squash the trojan after they get the info?


Not long at all. I wouldn't be surprised if they were reliably detecting them in the next 24 hours or so.
So I went off and programmed me an Authenticator that works as an executable for Windows XP/ME/7, and it's based off the Mobile app for Android/iPhone.

When you say it grabs it from the input box, do you mean it does it via keystrokes, or from screencapture?

The reason why I ask this is that I copy/paste my authenticator into my input box when I'm prompted for one.

I just want to know if I'm safe or not from this trojan.

If for whatever reason Blizzard would like a copy of my Authenticator program for inspection, or whatnot, they can feel free to email me through my account associated with my Battle.net account.
Thanks Ressy. It was a pleasure to help in anyway that I could.

Much thanks to the whole team actually. You are very much appreciated!!

I wish success for all those who were infected and I will contact Blizzard about my losses. <3

BIG HUGS to all. :)
Great job guys. :) I haven't been infected but wanted to have an idea where it came from before closing this browser window. Haha.

Thanks Ressie for finding and isolating the issue, as well as fixing it. And thanks to Cymbol for letting her. :)
I've been keeping an eye on this, even though I'm not infected (I believe, I'll probably be going through the steps Ressie gave just to soothe my mind), and I have to say, I am impressed. Very good job.
Strong work folks. I'm going to keep this thread to point people to who think that Curse is doing a bad job.

Join the Conversation

Return to Forum