Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Fake Curse client stealing WOW's user credentials

Created: 08 Jan 2014 • Updated: 08 Jan 2014
SebastianZ's picture
+1 1 Vote
Login to vote

In a recent "sticky" thread on Battle.net forums a new threat targetting WOW players has been reported. The Trojan "Disker" is able to compromise even the accounts using Authenticator Protection. It steals both the account credentials and Authenticator password. To verify if the machine has been compromised with the trojan it is advised to create a MSinfo file and check in it for following entries in the Startup programs section:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup

Trojan originates from a fake Curse website offering malicious Curse clients for downloads - the website itself was popping-up recently on major search engines while looking for "curse client" phrase.

Blizzard advises to report any compromised account directly alongside of information regarding installed addons or plugins. On general note deleting any recently downloaded addons and full system scan are recommended.

References:

(Sticky) *Compromised accounts* Potential Trojan
http://us.battle.net/wow/en/forum/topic/11041384892

WoW gamers targeted with trojanized Curse client
http://www.net-security.org/malware_news.php?id=2666