World of Warcraft Players Warned of Dangerous Trojan That Steals Account Info [Update]

[UPDATE] Blizzard has provided a new update regarding the malware. Writing on its forums today, the developer said the trojan stems from a fake version of the Curse Client. A summary of Blizzard’s latest findings is below.

“The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for “curse client” on major search engines, which is how people were lured into going there.

At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

Thanks to Ressie’s efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

If you were compromised, follow the instructions here and we’ll do our best to set everything right (as we always do).

For those of you interested in these MitM style attacks, this is the only confirmed case we’ve seen in several years outside of the “Configuring/HIMYM” trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!”

The original story is below.

Blizzard Entertainment has warned World of Warcraft players to be on the lookout for a “dangerous Trojan” that can steal account information even if you’re using an authenticator for protection, the company said on its forums last night.

According to Blizzard, the malware acts in real time by stealing your World of Warcraft account information as well as the authenticator password at the time you enter both. Blizzard recommends that users with compromised accounts seek out the Trojan by following the steps laid out below.

“It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either ‘Disker’ or ‘Disker64.’ It will usually appear like this:

    Disker rundll32.exe c:usersnameappdatalocaltempw_win.dll,dw Name-PCName Startup

    Disker64 rundll32.exe c:usersnameappdatalocaltempw_64.dll,dw Name-PCName Startup

Blizzard said it is currently investigating the newly discovered malware, but so far has been unable to find any anti-virus programs that will remove it outside of reformatting your system. To help Blizzard find a solution, you can reply to the ongoing support thread with the following:

“Your MSInfo. A list of any add-ons you recently installed along with where you got them. A list of any programs you recently installed along with where you got them. Any security programs you have run and their results.”

World of Warcraft had 7.6 million subscribers as of September 30, 2013, making it the top subscription-based MMO on the market. Blizzard announced Warlords of Draenor, the game’s fifth expansion, during BlizzCon in November. According to a recent survey, Blizzard is potentially considering allowing players to pay for a standalone level 90 character.