Page 1 of 2
1
2
LastLast
  1. #1

    Wow Curse (Virus on some addons) 10/01/2013

    Afternoon all please be warned that some authors on wow curse have been hacked or sorts and now their addons contain Trojan Horse.

    Please don't update any of your addons if you want to stay safe

    Known addon Auctionator 3.1.1 Avoid this one

    Will update more when I find them

    I would like to note also that some people may have 3.1.1 already and have no issues, this is correct as the file only got re released today with the virus.

    Update: Issue has been resolved now only an issue to those who already downloaded it. Curse suggest you remove the current file version 3.1.1

    Version 3.1.2 of Auctionator is safe to download.
    Last edited by Tarafoe; 2013-01-11 at 06:16 PM. Reason: Issue Resolved

  2. #2
    dont have any troubles with this and how the hell could you get infected ..... you need to RUN the virus or it wont infect your system its probably the author of the addon that has a virus on his comp and accidently upped it

    it will probably be removed when curse's eye falls on it
    Same Shit Different Day

  3. #3
    Care to elaborate how exactly Lua files, which are plain text files parsed in the WoW sandbox with zero access to the actual file system are going to "infect" your computer?
    UI & AddOns expert | Interface & Macros moderator - My work

  4. #4
    Quote Originally Posted by Treeston View Post
    Care to elaborate how exactly Lua files, which are plain text files parsed in the WoW sandbox with zero access to the actual file system are going to "infect" your computer?
    With copious amounts of Sha-infested algorithms?

  5. #5
    Something tells me he got his account banned and is looking to try and hurt curse/mmo-champ.

  6. #6
    The updated addon has been removed I don't have the virus a friend has just relaying info, also the new file had no .lua files inside they had been replaced with a .exe file which contained the virus. Don't be so quick to jump to conclusions.

    Also when he had virus scanned his system it reffered directly to his interface/addon/auctionator
    Last edited by Tarafoe; 2013-01-10 at 04:28 PM. Reason: Clarification

  7. #7
    Alright, so let's assume that the repository system's protections against .exe files, the packager's protections against .exe files and the curse client's protections against .exe files have all been circumvented (somehow).
    Next, how exactly is your theoretical .exe file going to be executed? Are you saying that the Curse Client has somehow been tricked into executing arbitrary code, a function which it was never designed to fulfill, without even being updated?
    Besides, you claim that all the .lua files had been replaced with .exe files. This means that the newly downloaded file is functionless, yet your "friend" is the only one to have noticed so far?
    You'll have to understand that rumors of "oh my god curse has VIRUSES" are not exactly a recent invention, so I'm quite sceptical unless you can provide more than this word-of-mouth "evidence" of your "friend's" for the time being.
    Last edited by Treeston; 2013-01-10 at 04:40 PM.
    UI & AddOns expert | Interface & Macros moderator - My work

  8. #8
    Quote Originally Posted by Treeston View Post
    Alright, so let's assume that the repository system's protections against .exe files, the packager's protections against .exe files and the curse client's protections against .exe files have all been circumvented (somehow).
    Next, how exactly is your theoretical .exe file going to be executed? Are you saying that the Curse Client has somehow been tricked into executing arbitrary code, a function which it was never designed to fulfill, without even being updated? You'll have to understand that rumors of "oh my god curse has VIRUSES" are not exactly a recent invention, so I'm quite sceptical for the time being.
    Well the file is no longer on curse no they haven't released any info regarding the virus, but I think removing the file is proof enough. Maybe the .exe has a line of code when you start wow and it goes to activate your addons it executes the file, This is just a theory as I don't know how it can happen all I know is it has and I doubt the guy/girl will go hey this is how I bypassed the update system to give and execute this file or have a line of code.

  9. #9
    Brewmaster Detheavn's Avatar
    Join Date
    May 2010
    Location
    The Nether .... lands
    Posts
    1,478
    Quote Originally Posted by Tarafoe View Post
    Maybe the .exe has a line of code when you start wow and it goes to activate your addons it executes the file, This is just a theory as I don't know how it can happen all I know is it has and I doubt the guy/girl will go hey this is how I bypassed the update system to give and execute this file or have a line of code.
    This alone makes me believe that no one experienced problems other than you. It is more likely a virus already existing on your system changed your downloaded zip files, rather than anything.

    I suggest a good thorough scan, a lukewarm bath and a nice cup of coffee.

  10. #10
    Quote Originally Posted by Detheavn View Post
    This alone makes me believe that no one experienced problems other than you. It is more likely a virus already existing on your system changed your downloaded zip files, rather than anything.

    I suggest a good thorough scan, a lukewarm bath and a nice cup of coffee.

    Can I add that im not the person having this problem. Others are experiencing this also please check ww.curse.com/addons/wow/auctionator comments.
    Also there is a post now on the blizzard forums regarding this also u.battle.net/wow/en/forum/topic/6298062177 please add first "w" in first link and "e" to the start of the second I can't post links yet

    Now I'd also like to remind everyone that I'm not a expert in coding so not super savvy on the technicals of how to excute a file without clicking it, I do however like to note that I'm only here to relay information not to cause a debate over how to get a virus from curse.

  11. #11
    Quote Originally Posted by tenangrychickens View Post
    With copious amounts of Sha-infested algorithms?
    Ever heard of SHA1-Encryption?


  12. #12
    So essentially, you're saying that:
    1) The WoW client is going to execute arbitrary .exe files in addons' folders, despite it not being intended to do such a thing.
    2) The (supposed) file was removed from Curse.com without leaving a trace anywhere. We're talking about a file publicly available on the internet. Your mysterious "friend" is the only one who downloaded the file, and has since deleted it.
    3) To follow up on 2), we're talking about a site that gets multiple thousand downloads a day. You claim that the alleged virus came from an external source, yet the curse staff somehow miraculously managed to remove it fast enough for nobody except your "friend" to download the file.
    4) You have no proof of any of the above except for the word of your "friend". All information and files involved vanished. Without a trace. On the internet where, as we all know, very few things leave no trace.

    However, in case all of the above happen to be true, I will, on behalf of the Curse team, gladly accept your compliment regarding our lightning-fast attack detection and removal of the infringing files. In fact, we were so incredibly good at our job that only a single person in the entire world was affected. I'd call that a success.

    PS: Do you subscribe to the thing commonly referred to as "hollywood hacking"? Systems do not "somehow" execute functions they were never meant to execute. The WoW client does not randomly run executable files for the heck of it. The packager does not feel like taking the day off to package a .exe file.
    Last edited by Treeston; 2013-01-10 at 05:07 PM.
    UI & AddOns expert | Interface & Macros moderator - My work

  13. #13
    Quote Originally Posted by Treeston View Post
    So essentially, you're saying that:
    1) The WoW client is going to execute arbitrary .exe files in addons' folders, despite it not being intended to do such a thing.
    2) The (supposed) file was removed from Curse.com without leaving a trace anywhere. We're talking about a file publicly available on the internet. Your mysterious "friend" is the only one who downloaded the file, and has since deleted it.
    3) To follow up on 2), we're talking about a site that gets multiple thousand downloads a day. You claim that the alleged virus came from an external source, yet the curse staff somehow miraculously managed to remove it fast enough for nobody except your "friend" to download the file.
    4) You have no proof of any of the above except for the word of your "friend". All information and files involved vanished. Without a trace. On the internet where, as we all know, very few things leave no trace.

    However, in case all of the above happen to be true, I will, on behalf of the Curse team, gladly accept your compliment regarding our lightning-fast attack detection and removal of the infringing files. In fact, we were so incredibly good at our job that only a single person in the entire world was affected. I'd call that a success.

    PS: Do you subscribe to the thing commonly referred to as "hollywood hacking"? Systems do not "somehow" execute functions they were never meant to execute. The WoW client does not randomly run executable files for the heck of it. The packager does not feel like taking the day off to package a .exe file.
    Looks like he's not making it up. A Curse employee posted a comment on the Auctionator page.

    I got notifed about it this morning and we've removed the offending file.

    A hacker got access to two accounts and used one of them to upload the virus laden file. I've tracked down about five ip addressed and blocked them all, and as of right now it appears to be the only file he infected.

    Just downloading the file doesn't cause an infection on your computer. Unless you went in and opened the lnk file you should be fine. The client doesn't open the file automattically.

    We've notified the account owners and had they've changed their passwords. We've removed the file, and it's been sent to Blizzard's Warden team and will be submitted to our antivirus manufacture as it bypassed our server's scanner. We're also going to shore up our filters to flag lnk files in the future.
    OP: You have to understand that 99% of the time someone comes in claiming a virus came from Curse, they are completely making it up. Thus many of us have become jaded to the point that we just assume all of these reports are fabricated in some way.
    Last edited by Gurbz; 2013-01-10 at 05:09 PM.
    All this complaining is simply further proof that Blizzard could send each and every player a real-life wish-granting flying unicorn carrying a solid gold plate of chocolate chip cookies wrapped in hundred dollar bills, and someone would whine that Blizzard sucks for not letting them choose oatmeal raisin.
    Quote Originally Posted by DeadmanWalking View Post
    If your guild demands you slip into an elephants butt and force yourself out in a regurgation then you can't blame Blizzard for supplying the elephant.

  14. #14
    Legendary! Treelife's Avatar
    Join Date
    Mar 2010
    Location
    England
    Posts
    6,930
    Hi Superbeast2013 and Maev81.

    I got notifed about it this morning and we've removed the offending file.

    A hacker got access to two accounts and used one of them to upload the virus laden file. I've tracked down about five ip addressed and blocked them all, and as of right now it appears to be the only file he infected.

    Just downloading the file doesn't cause an infection on your computer. Unless you went in and opened the lnk file you should be fine. The client doesn't open the file automattically.

    We've notified the account owners and had they've changed their passwords. We've removed the file, and it's been sent to Blizzard's Warden team and will be submitted to our antivirus manufacture as it bypassed our server's scanner. We're also going to shore up our filters to flag lnk files in the future.
    Seems the author/mod/whatever (blue text) even said it. I'll be damned.

  15. #15
    Hm, I guess I should refresh before posting. A link instructing CMD to open a .txt in .exe mode. Yeah, that'll work.

    However:
    1. This won't run automatically.
    2. We did release a statement. In fact, you just linked me to it.
    3. Still, thanks for pointing it out. You could have done it with a bit more facts and a bit less exaggeration, but thanks are still in order.
    UI & AddOns expert | Interface & Macros moderator - My work

  16. #16
    Scarab Lord Kaneiac's Avatar
    Join Date
    Apr 2009
    Location
    Iowa, United States
    Posts
    4,373
    God damn, what's with the venom in this thread?
    Hey, remember when I dropped my keys and you thought the phone was ringing?

  17. #17
    Quote Originally Posted by Kaneiac View Post
    God damn, what's with the venom in this thread?
    Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.

    Heroic Recruitment -- Hersh's multi-PoV kill vids. -- Raids & Dungeons & Hunter kitty
    no one huntars like gaston

  18. #18
    Removed what I have said.

    Sorry I understand I could have given more facts etc but that's the only info I had at that time.
    Last edited by Tarafoe; 2013-01-10 at 05:19 PM. Reason: Info no longer required

  19. #19
    Scarab Lord Kaneiac's Avatar
    Join Date
    Apr 2009
    Location
    Iowa, United States
    Posts
    4,373
    Quote Originally Posted by Herecius View Post
    Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.
    I get that, but you think people from Curse would actually investigate the issue before posting instead of saying "BULLSHIT GO AWAY"
    Hey, remember when I dropped my keys and you thought the phone was ringing?

  20. #20
    Quote Originally Posted by Herecius View Post
    Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.
    The author's account was compromised and the virus was uploaded by his account so no curse didn't send the virus it mearly distributed the file that the author had uploaded to its database.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •