WoW – Attention au Trojan (maj)
Un message officiel nous informe d'une menace potentielle pouvant actuellement compromettre les comptes, même protégés avec un authenticator. Pour le localiser, ils préconisent de faire un diagnostic avec MSInfo et de regarder dans la section "Programmes de démarrage" à la recherche d'un processus nommé "Disker" ou "Disker64" :
Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup
Ils recherchent plus d'informations à ce propos car, pour le moment, le Trojan n'est pas supprimé par les anti-virus. Si jamais votre compte a été compromis récemment et que vous trouvez ce Trojan sur votre système, n'hésitez pas à aider Blizzard en soumettant :
- votre MSInfo
- la liste des addons récemment installés
- la liste des programmes récemment installés
- tout rapport effectué par des programmes de sécurité
Hello,
We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.
If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:
Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup
We are currently looking for more information on the Trojan. We have not been able to locate any anti-virus programs that will remove it besides just reformatting your system. If you have been recently compromised and find it on your system please reply with the following pieces of information.
- Your MSInfo.
- A list of any addons you recently installed along with where you got them.
- A list of any programs you recently installed along with where you got them.
- Any security programs you have run and their results.
De nouvelles informations ont été publiées à ce propos :
- le Trojan est téléchargé via une fausse version de Curse, sur un site alternatif, qui ressort sur les moteurs de recherche en tapant "curse client".
- la méthode la plus simple pour supprimer la menace est de désinstaller le faux client Curse et de mener un scan via Malwarebytes.
- la plupart des programmes anti-virus devraient désormais détecter et supprimer cette menace.
Our pleasure!
To summarize for those of you that haven't read the green posts:
-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.
-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.
-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.
-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).
-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
N'hésitez pas à vérifier, on sait jamais !