Battle.net Accounts Compromised by Trojan
New malware steals battle.net account info, even from accounts with a Blizzard authenticator
Details about the issue were posted in the World of Warcraft Customer Support forums, and the Trojan was tracked down and can be easily removed. The companies who make the major anti-virus software have been notified, and have updated their programs to catch the Trojan. Since this can affect any battle.net user, Diablo III players who do not play World of Warcraft could still be infected; there are unconfirmed reports that other programs may also be spreading the Trojan.
Here is the info from the initial post by a Blizzard Customer Support agent:
We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.
If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:
If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:
Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup
The simplest way to remove the Trojan is by using the Malwarebytes program, which eradicates many forms of malware. This is detailed in the followup Blizzard post that gives more specifics about the Trojan.
Update: With the help of our awesome MVPs, we've identified the source and a method to remove this Trojan.
To summarize for those of you that haven't read the green posts:
-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.
-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.
-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.
-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).
-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
To summarize for those of you that haven't read the green posts:
-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.
-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.
-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.
-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).
-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!
Recent News
Server optimizations are being tested on the Public Test Realm
Official patch notes and server changes for Season 7
An overview of the patch that is arriving this week, and bringing Season 7
A look at the rewards in Season 7, and the journey to achieve them
A weekend Diablo III bonus buff on the PC, PS4, and Xbox One
Diablo III: Ultimate Evil Edition
The console Diablo III edition includes all of the Reaper of Souls content, and special social features!
PlayStation 3
Xbox 360
PlayStation 4
Xbox One
Hot Topics
Official patch notes and server changes for Season 7, including new Torment difficulties and a nerf to group buffs.
An overview of the bigger changes and additions in patch 2.4.2.
A look at the rewards in Season 7, and the journey to achieve them.
