*Important* Key-Loggers and Computer Security

***Cairenn*** · 11-29-07, 02:00 AM

Since this is still a problem, I thought I'd post a reminder to people to be careful about what they download. The following post is taken from Blizzard's Customer Service Forum:

Key-loggers which steal account names and passwords continue to circulate. We remind players to be especially vigilant when being directed to external websites and to update the security on their computers. The following sticky has a bit of information that we have compiled to help ensure your computer is up to date, and secure. We have recently decided to break this long read up into a few smaller posts; making it easier to take in. This also allows us to link to specific portions for a player that may only need to see one segment, and not the whole post.

Table of Contents:

1. Security Update

2. Introduction

3. Identification

4. Removal

5. Protection

6. Account Recovery

In addition to Blizzard's post, we have a very helpful sticky thread in our Chit Chat forum by Tsurani that has a lot of great info and links about computer security, here.

That being said, you can rest assured that we continue to do everything we can to try to provide you with the safest downloads possible. Our approval process for any mod on the site (new or even just an update) continues to be a manual process for precisely this sort of reason. For those of you who aren't aware of our process, any mod that is submitted to the site, whether brand new or an update, goes to a file moderation queue. One of the site staff downloads the mod to their computer, runs virus and spyware scans on it, checks to make sure there are no executable files* of any type in the compressed folder and only after everything checks clean is the mod approved for download by our users. In addition to our manual scans upon upload, we also have automatic virus and spyware scans of our entire database every night. It may take us a little bit longer that way and makes more work for us on our approval process, but we feel it is important enough to warrant the time and effort.

*Yes, there are some executables on the site, however the only way an executable is ever allowed on the site requires the author submitting their source code for us to decompile first, to verify precisely what it does and that it is safe for our users. If someone isn't willing to submit their source to us, their mod doesn't get on our site.

Finally, I have to warn you that unfortunately someone apparently uploaded a trojan to incgamers.com which has made its way to their UICentral automatic downloader/installer. You can see the post concerning it, complete with all the technical details of what the trojan does, here. I know that Rushster has been made aware of it and I have no doubt that he is taking the appropriate steps to deal with it. However, if you have used incgamers' UICentral in the last couple days, you really should consider running a full system virus and spyware scan.

If you discover you did get infected, the following steps should completely remove it from your system (courtesy Zappam, over on incgamers' forums, here):

1. Boot in Safe Mode.
2. Click on Start > Execute. Write regedit.
3. Go to HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Services > WZCSVC > Parameters.
4. Change ServiceDll value to "%SystemRoot%\System32\wzcsvc.dll" (without quotes).
5. Go to C:\WINDOWS\system32\.
6. Click on Tools > Options > View then untick "hide system files".
7. Delete mouse.dll and wzcsvbc.dll. Reboot.

Kalagarth · 11-30-07, 02:48 PM

Thank you for alerting me to a problem like a keylogger hidden in an addon. I'm kinda confused... would the Wowaceupdater be able to download the trojan/does this involve wowace at all? If so, what antivirus would be able to detect it?

Zyonin · 11-30-07, 04:07 PM

Originally Posted by Kalagarth

Thank you for alerting me to a problem like a keylogger hidden in an addon. I'm kinda confused... would the Wowaceupdater be able to download the trojan/does this involve wowace at all? If so, what antivirus would be able to detect it?

WoWAce (and WoWAceUpdater) has nothing to do with this. The Trojan was contained within WoWUI's UICentral updater.

Dreadlorde · 11-30-07, 05:43 PM

My bad. Disreguard.

***Cairenn*** · 12-01-07, 12:45 AM

Two things here:

First, it wasn't a virus embedded in an addon. Addons themselves are nothing but text (and occasional graphics) files. It was a trojan hidden in an executable that would self-delete the carrying executable as soon as it ran, to make it harder to trace.

Second, you're fine with Ace, this was at incgamers (formerly ui.wow.net).

You should be fine.

(Always better to check if you are unsure though.

)

Zyonin · 12-01-07, 04:35 AM

Originally Posted by Dreadlorde

Isn't that thing brown? I wouldn't trust it.

I have tested UIC and never got it to work right so I have not touched it in a long time. With the latest "revelations" I would not trust it either and I am steering anyone I can away from it. I have warned my guild regarding this, however I think my guild will not have any issues as most (as in all but a few masochists) of us use Ace2/Rock based UIs with a few "non Ace" mods pulled from Curse.

I used to be a heavy poster on WoWUI, however after both the WoWAce "mirror" mess and the Trojans, plus the el crapo response from the WoWUI admins, I am terminating my "relationship" with that site. Too bad they do not have an "Delete Account" option.

***Cairenn*** · 12-01-07, 10:28 AM

Remember guys, we don't allow flaming of the other sites here. Legitimate warnings of something that has happened is one thing. Turning the thread into a flamefest is something else entirely. Not saying you have, but it's all too easy for something like this to turn into one and that's not allowed here.

Lenexa · 12-01-07, 12:20 PM

Just wanted to post to say thank you Cairenn for posting that fix. I had tried a lot of different things suggested on the WoW forums but nothing was working. After about 4+ hours of various attempts I finally checked here and the problem was solved. Thank you!!!!

***Cairenn*** · 12-01-07, 02:35 PM

You're quite welcome Lenexa, although the credit goes to the guy who originally posted it over at incgamers. I just copied it over to help make it more easily located.

I'm very sorry to hear you were one of the people infected with this. I hope your account wasn't compromised (and trust that you've subsequently changed your password!).

ScytheBlade1 · 12-02-07, 07:39 PM

The above directions are insufficient and will likely NOT result in full removal.

For updated instructions, please see this thread: http://www.wowinterface.com/forums/s...threadid=13868