In a recent "sticky" thread on Battle.net forums a new threat targetting WOW players has been reported. The Trojan "Disker" is able to compromise even the accounts using Authenticator Protection. It steals both the account credentials and Authenticator password. To verify if the machine has been compromised with the trojan it is advised to create a MSinfo file and check in it for following entries in the Startup programs section:
Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup
Trojan originates from a fake Curse website offering malicious Curse clients for downloads - the website itself was popping-up recently on major search engines while looking for "curse client" phrase.
Blizzard advises to report any compromised account directly alongside of information regarding installed addons or plugins. On general note deleting any recently downloaded addons and full system scan are recommended.
References: (Sticky) *Compromised accounts* Potential Trojan http://us.battle.net/wow/en/forum/topic/11041384892 WoW gamers targeted with trojanized Curse client http://www.net-security.org/malware_news.php?id=2666
References:
(Sticky) *Compromised accounts* Potential Trojan http://us.battle.net/wow/en/forum/topic/11041384892 WoW gamers targeted with trojanized Curse client http://www.net-security.org/malware_news.php?id=2666