[Warning] Keyloggers and Trojans

**Unholyshaman** · 12-03-2007

QUOTED FROM WoWInterface forums:

Unfortunately for us, the “they” in this case are thieves, and they came. It appears that the people who are distributing the latest rash of trojans paid us a visit as well. We have determined that two of the mods on the site that have auto-installers were hacked and a trojan inserted. From our investigations, it appears that the incursion was on 30 Nov. Here are the details that you need to be aware of:

If you downloaded either:

KaoMod-20300.001.exe

or:

SewellUI

between 30 Nov and 02 Dec, you may have been infected.

We were first alerted to a possible problem via this thread on the Blizzard forum yesterday, 01 Dec, at 2am my time. We immediately quarantined the mod in question and ran tests on it. It appeared to come up clean, but continued digging determined that there was, in fact, a trojan hiding in it. As we continued to investigate, it became apparent that the person who did this only hit our fs2 (file server 2) database server. At that point (5 am my time), we immediately quarantined our entire fs2 and switched to fs1. fs2 continues to be quarantined until we can be sure that any infections are removed.

What you need to do

If you downloaded either of those files and think you may have been infected, here is what you need to do:

Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work.

Download: http://www.wowinterface.com/forums/a...tid=1572&stc=1
(Contains one .bat file and one .reg file)

Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC).

OR, if you feel more secure doing it manually ....

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (AntiVir PersonalEdition Classic - More than Security) has been known to successfully detect these files.

Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

* NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.

What we are doing about this:

We’ve installed another level of firewall on our servers, amongst other things. Effective immediately we will no longer accept any mod packages that include .exe or .msi (self-installers). Authors of existing packages that use self-installers will be contacted and required to change their packages to regular compression (.zip) files only, or removed from the site.

We’re very very sorry this has happened. Never before in the five years that we’ve been running our sites have we had anyone successfully breach our security and imperil our users. Trust that we will do everything we can to try to make sure it never happens again.

Once again, we’re really sorry.

ALSO SEE: WoW Forums -> AddOns reset every time I exit the WoW