Beware of the WoW Downloader Trojan!!!

Neirai the Forgiven

Neirai the Forgiven

Christian Guilds List Manager
I don't know if you've heard, but Wendel (Stwendelritz) just got slammed by WoW gold pirates.

Here's how it works:

1. You pick up a WoW Trojan. Often called something like "Trojan-Spy.Win32.Perflogger.al" or the like.

2. When you download a WoW patch, this incidious little bugger inserts a back door into your game.

3. Next time you play, you will get a "Unable to validate game" error. If you EVER get such an error, take action immediately!!!

4. Trying to log in sends your name and password to a nefarious gold pirate website... goodbye characters/gold/items/etc.


What you can do:

1. if you EVER get a validation error, immediately change passwords and then DON'T touch WoW.

2. Virus/Trojan scan. If it doesn't find it, go download another scanner and do it again.

3. Avoid using the default P2P downloader. If you download the patch straight (like from filefront or hey, our website when it's finished,) the Trojan can't alter it (so far).

4. Once you are sure that you are Trojan free, you may need to re-install the game.


If you are hit, PLEASE contact Blizzard Entertainment immediately so that they can get these people charged and shut down!!
In Wendel's case, they left an advertisement in his mailbox. Yay immediate clues.
 
Something doesn't add up dude. How did the Trojan get there, from Blizzard's own patcher? Highly unlikely. I'm very interested in knowing how ...
 
Folks, please OH please, run an anti virus program and EVERY DAY run the updater manually. Security is to important to leave it to an automated updater. This trojan is identifiable by most AV software so there is no reason it doesn't get detected. As to how it gets on, while I don't know Stwendelritz's case, I can tell you to avoid WoW Gold sites and sites that post questionable mods and/or macros for automating farming or other in-game activities. I hope he finds out where this came from and we all can learn together.

Couple of articles I have come across ...
http://forums.wow-europe.com/thread.html?topicId=31483341&sid=1
http://www.theregister.com/2006/09/29/warcraft_trojan_attack/
http://arstechnica.com/news.ars/post/20060508-6778.html

In essence, run IE 7 (if you must have IE), but better yet is Firefox 2.0.
 
Last edited:
I got a note in my WoW in-game mail recently from "WoW Gold Pirates" also. It asked to visit a specific website and enter a code for 10 free gold.

I wish I would have kept it so I could show it to a GM now. I didn't know how much this trojan had spread.
 
I got that same in-game mail, and did report it to a GM. :D

I thought it was kind of funny that the GM reccomended that I delete the mail. What else was I gonna do, report it, and then go pick up my free gold & get banned (oh, and scammed too most likely)!

Oh, and my condolences Wendel. If you need anything, just ask :) I might be able to help you replace some gear for your neked character.
 
Last edited:
The pirates send you an in-game mail with an authorization code to receive 10 free gold.

You insert the authorization code at their website - peonsforhire.com

A trojan is downloaded to your computer.

You log on, and your WoW account information is sent to peonsforhire.com

The scammers hijack your account and liquidate it.

---

This is specifically how I've come to understand this working. I have received this in-game mail amongst my various characters roughly eight times now. Camyron has received it twice. It has also been received by characters I have not played in months (a fact that somewhat concerns me).

However, never having been one to be interested in gold farmers/pirates, I just delete these. I would have reported them, but I'm already aware that Blizzard knows what the problem is and is working hard to fix it. In the meantime, what bothers me most is just the spam.

Aside from in-game mails, there have been level 1 players on all servers spamming 8-line long advertisements for "peons4hire". This third party gold scamming institution is flooding WoW with their ads. THAT is what I find annoying.

Simultaneously, I would like to send my sympathy to those that these people have taken advantage of. If there's anything I can do to help, just ask. In the meantime - for the rest of you...

DELETE GOLD ADS WHEN YOU SEE THEM. DO NOT VISIT 3rd PARTY WEBSITES.
 
lueff said:
I would have reported them, but I'm already aware that Blizzard knows what the problem is and is working hard to fix it. In the meantime, what bothers me most is just the spam.
Click to expand...

Oh, ok, I'll stop reporting them then. I figured that the more names/accounts they had, the better.


lueff said:
DELETE GOLD ADS WHEN YOU SEE THEM. DO NOT VISIT 3rd PARTY WEBSITES.
Click to expand...

AMEN!!!!
 
from http://www.joestewart.org/p2p.html

BitTorrent cannot be used to spread viruses in the way other P2P networks are known for. On most P2P networks, spreading a virus is as easy as copying it to the shared folder with an enticing name. Since BitTorrent users only share pieces of well-known files whose integrity is known to the tracker, it is not possible to infect a piece of the file being shared. While you could potentially upload a virus to a public tracker and provide a .torrent file for it, you'd still have to convince people to download and run the file just as if you posted it to a website. Another benefit to the BitTorrent model is that users can't unknowingly share out the contents of their hard drive in the way neophyte users have done on other P2P networks. Virtually all of the security and privacy concerns noted by opponents of P2P technology simply don't exist with BitTorrent.
Click to expand...

and btw, Joe would know...

Joe Stewart is Senior Security Researcher with LURHQ, a leading Managed Security Services Provider. In this role he researches unusual Internet activity to discover emerging threats, new attack techniques and the latest malicious code. Prior to this role, he was an Intrusion Analyst where he handled millions of security events for LURHQ clients while monitoring their corporate networks from the Secure Operations Center. He has been in the information security field his entire career. He is a frequent commentator on security issues for leading media organizations such as The New York Times, MSNBC, Washington Post, Bloomberg and others. Additionally, Joe has published numerous security research papers on Sobig, Migmaf, Sinit and other cyber-threats and attack techniques which can be found at http://www.lurhq.com/
Click to expand...

So therefore, you're not getting hacked, virused, or keylogged through the Blizzard downloader. It's not possible because of the "hash" data. If you did get an infected hash, it would change the file structure, etc, and you would get an error when trying to patch because the finished file would be messed up.
 
The post on the tech support forums (which I can't find (the post, not the forum)) claimed that the Trojan, which was picked up by surfing the net, negatively interfered with some part of the download/patch process when installing using the Blizz download/patch system.

That's pretty much all I know about it. S/he did mention that it did not seem to come into effect when using the patches provided by Fileplant or Filefront.

Anyhow it isn't a hill I'm going to die on because I don't know the poster and it was white, not blue.
 
Nah, it wasn't that your word wasn't good enough, Adam, but I happened to find that page when I was browsing around the net today, so I thought I'd post a link and the pertinent stuff from it.

It also went on to mention that other forms of P2P software (such as limewire, kazaa, etc) are more dangerous and that some study they linked to suggested that as much as 45% of all files available on KaZaA were malicious and/or infected.

And John - that actually makes more sense. it's possible that someone could infect a website much easier and cause it to interfere with your ability to download patches, login, etc... (think curse and worldofwar's problems a few weeks ago). And people like FilePlanet all get their files the same way we do - from Blizzard's downloader.
 
You must log in or register to reply here.
Back
Top