If you get big enough, they will come ….

[Cairenn]

(This is a copy of the post as on the front page of our WoWInterface site)

Quote:

And unfortunately for us, the “they” in this case are thieves, and they came. It appears that the people who are distributing the latest rash of trojans paid us a visit as well. We have determined that two of the mods on the site that have auto-installers were hacked and a trojan inserted. From our investigations, it appears that the incursion was on 30 Nov. Here are the details that you need to be aware of:

If you downloaded either:

KaoMod-20300.001.exe

or:

SewellUI

between 30 Nov and 02 Dec, you may have been infected.


We were first alerted to a possible problem via this thread on the Blizzard forum yesterday, 01 Dec, at 2am my time. We immediately quarantined the mod in question and ran tests on it. It appeared to come up clean, but continued digging determined that there was, in fact, a trojan hiding in it. As we continued to investigate, it became apparent that the person who did this only hit our fs2 (file server 2) database server. At that point (5 am my time), we immediately quarantined our entire fs2 and switched to fs1. fs2 continues to be quarantined until we can be sure that any infections are removed.


What you need to do

If you downloaded either of those files and think you may have been infected, here is what you need to do:

Updated! 12/3/07 12AM CST - ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work.

Download: RemoveKeylogger.zip
(Contains one .bat file and one .reg file)

Download and extract the files to your hard drive (for example, C:\). I wouldn't recommend extracting it to your desktop for simplicity reasons.

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

Once you're clean, go ahead and delete the files (RemoveKeylogger and WZCSVC).

OR, if you feel more secure doing it manually ....

1) Boot into safe mode

2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)

Start --> run --> cmd.exe

Copy and paste the following lines into the box, one by one:

attrib -H -S %systemroot%\system32\wzcsvbc.dll

attrib -H -S %systemroot%\system32\mouse.dll

attrib -H -S %systemroot%\system32\printfpool.exe

del %systemroot%\system32\wzcsvbc.dll

del %systemroot%\system32\mouse.dll

del %systemroot%\system32\printfpool.exe

sc delete printfpool

exit

3) Fix the registry

Start --> run --> regedit

Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlS et\Services\WZCSVC\Parameters

Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")

4) Reboot

5) Start WoW, and then close it. Do NOT log in.

6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)

7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.

8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

• NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.

What we are doing about this:

We’ve installed another level of firewall on our servers, amongst other things. Effective immediately we will no longer accept any mod packages that include .exe or .msi (self-installers). Authors of existing packages that use self-installers will be contacted and required to change their packages to regular compression (.zip) files only, or removed from the site.


We’re very very sorry this has happened. Never before in the five years that we’ve been running our sites have we had anyone successfully breach our security and imperil our users. Trust that we will do everything we can to try to make sure it never happens again.

Once again, we’re really sorry.

Now for the details as it pertains to this site:

We know that the people distributing the trojan jumped to this site after they finished with WoWInterface. Because there are no mods on this site with executables they repackaged some of the interfaces to be self-extracting executables that would install the interface files as usual, but also run the trojan. In the process of tracking what all they had done, Dolby traced them here and immediately reverted this site's database to pre-intrusion. That was approximately 5am central, yesterday, 2 Dec. He also saw their attempt to cover their tracks by deleting razer0000's thread, and restored the thread. He is still working on determining exactly when they infiltrated the file server on this site, so that we can give you an exact time frame in which you may have gotten something. In the meantime: if you downloaded something from the site between 30 Nov and 2 Dec and it had an executable then you need to check to make sure you weren't infected. The information on what to look for and how to clean it if anything does show up is all in the quoted text above.

I'm very sorry that I didn't post the information on the front page of this site sooner. Because the incursion was so much more extensive on WoWInterface and because we caught it so quickly over here, I've spent the majority of my time trying to help Dolby track what happened and work with the WoW author community in tearing the trojan apart so that we had as much information as possible to provide to everyone. It was wrong of me to not post this sooner over here and I'm sorry that I didn't.

We will provide more details as we determine them.

Once again, I'm very sorry that this happened at all, and that it took me this long to post the information on this site.