Skip to main content

Blizzard warns WoW players to watch out for a Trojan

UPDATE: It came from a fake version of Curse Client.

UPDATE: The culprit has been found and it's apparently a false version of the Curse Client that's been sneaking the Trojan onto people's systems. Remove the client and run Malwarebytes and that should do the trick.

Support Forum Agent Kaltonis has the full rundown:

-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that [tech support MVP] Ressie posted earlier in the thread.

-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time.

ORIGINAL STORY: Blizzard is warning World of Warcraft players to keep an eye out for a "dangerous Trojan" that can steal your account information and authenticator password in real time. Yikes!

"We are currently looking for more information on the Trojan," Blizzard explained on its support forums. Unfortunately, it added "we have not been able to locate any anti-virus programs that will remove it besides just reformatting your system."

On the plus side, the Trojan only appears to affect PC-users, so Mac players should be safe.

If you think you've been infected, the developer suggested that you try to search for the Trojan by creating an MSInfo file then looking in the Startup Program section of that file for either "Disker" or "Disker64".

If the search comes up positive, Blizzard suggests you reply to the support forums and state your MSInfo, a list of any add-ons and programs you recently installed along with where you got them, and any security programs you've run along with their results.

In the meantime, be wary of any suspicious e-mails claiming to be from Blizzard that are not actually from Blizzard. Stay safe!

Read this next