Wow Curse (Virus on some addons) 10/01/2013

[Deleted]

Afternoon all please be warned that some authors on wow curse have been hacked or sorts and now their addons contain Trojan Horse.

Please don't update any of your addons if you want to stay safe

Known addon Auctionator 3.1.1 Avoid this one

Will update more when I find them

I would like to note also that some people may have 3.1.1 already and have no issues, this is correct as the file only got re released today with the virus.

Update: Issue has been resolved now only an issue to those who already downloaded it. Curse suggest you remove the current file version 3.1.1

Version 3.1.2 of Auctionator is safe to download.

[Deleted]

dont have any troubles with this and how the hell could you get infected ..... you need to RUN the virus or it wont infect your system its probably the author of the addon that has a virus on his comp and accidently upped it

it will probably be removed when curse's eye falls on it

[Deleted]

Care to elaborate how exactly Lua files, which are plain text files parsed in the WoW sandbox with zero access to the actual file system are going to "infect" your computer?

[Deleted]

Care to elaborate how exactly Lua files, which are plain text files parsed in the WoW sandbox with zero access to the actual file system are going to "infect" your computer?

With copious amounts of Sha-infested algorithms?

[Otterbob]

Something tells me he got his account banned and is looking to try and hurt curse/mmo-champ.

[Deleted]

The updated addon has been removed I don't have the virus a friend has just relaying info, also the new file had no .lua files inside they had been replaced with a .exe file which contained the virus. Don't be so quick to jump to conclusions.

Also when he had virus scanned his system it reffered directly to his interface/addon/auctionator

[Deleted]

Alright, so let's assume that the repository system's protections against .exe files, the packager's protections against .exe files and the curse client's protections against .exe files have all been circumvented (somehow).
Next, how exactly is your theoretical .exe file going to be executed? Are you saying that the Curse Client has somehow been tricked into executing arbitrary code, a function which it was never designed to fulfill, without even being updated?
Besides, you claim that all the .lua files had been replaced with .exe files. This means that the newly downloaded file is functionless, yet your "friend" is the only one to have noticed so far?
You'll have to understand that rumors of "oh my god curse has VIRUSES" are not exactly a recent invention, so I'm quite sceptical unless you can provide more than this word-of-mouth "evidence" of your "friend's" for the time being.

[Deleted]

Alright, so let's assume that the repository system's protections against .exe files, the packager's protections against .exe files and the curse client's protections against .exe files have all been circumvented (somehow).
Next, how exactly is your theoretical .exe file going to be executed? Are you saying that the Curse Client has somehow been tricked into executing arbitrary code, a function which it was never designed to fulfill, without even being updated? You'll have to understand that rumors of "oh my god curse has VIRUSES" are not exactly a recent invention, so I'm quite sceptical for the time being.

Well the file is no longer on curse no they haven't released any info regarding the virus, but I think removing the file is proof enough. Maybe the .exe has a line of code when you start wow and it goes to activate your addons it executes the file, This is just a theory as I don't know how it can happen all I know is it has and I doubt the guy/girl will go hey this is how I bypassed the update system to give and execute this file or have a line of code.

[Detheavn]

Maybe the .exe has a line of code when you start wow and it goes to activate your addons it executes the file, This is just a theory as I don't know how it can happen all I know is it has and I doubt the guy/girl will go hey this is how I bypassed the update system to give and execute this file or have a line of code.

This alone makes me believe that no one experienced problems other than you. It is more likely a virus already existing on your system changed your downloaded zip files, rather than anything.

I suggest a good thorough scan, a lukewarm bath and a nice cup of coffee.

[Deleted]

This alone makes me believe that no one experienced problems other than you. It is more likely a virus already existing on your system changed your downloaded zip files, rather than anything.

I suggest a good thorough scan, a lukewarm bath and a nice cup of coffee.

Can I add that im not the person having this problem. Others are experiencing this also please check ww.curse.com/addons/wow/auctionator comments.
Also there is a post now on the blizzard forums regarding this also u.battle.net/wow/en/forum/topic/6298062177 please add first "w" in first link and "e" to the start of the second I can't post links yet

Now I'd also like to remind everyone that I'm not a expert in coding so not super savvy on the technicals of how to excute a file without clicking it, I do however like to note that I'm only here to relay information not to cause a debate over how to get a virus from curse.

[XDurionX]

With copious amounts of Sha-infested algorithms?

Ever heard of SHA1-Encryption?

[Deleted]

So essentially, you're saying that:
1) The WoW client is going to execute arbitrary .exe files in addons' folders, despite it not being intended to do such a thing.
2) The (supposed) file was removed from Curse.com without leaving a trace anywhere. We're talking about a file publicly available on the internet. Your mysterious "friend" is the only one who downloaded the file, and has since deleted it.
3) To follow up on 2), we're talking about a site that gets multiple thousand downloads a day. You claim that the alleged virus came from an external source, yet the curse staff somehow miraculously managed to remove it fast enough for nobody except your "friend" to download the file.
4) You have no proof of any of the above except for the word of your "friend". All information and files involved vanished. Without a trace. On the internet where, as we all know, very few things leave no trace.

However, in case all of the above happen to be true, I will, on behalf of the Curse team, gladly accept your compliment regarding our lightning-fast attack detection and removal of the infringing files. In fact, we were so incredibly good at our job that only a single person in the entire world was affected. I'd call that a success.

PS: Do you subscribe to the thing commonly referred to as "hollywood hacking"? Systems do not "somehow" execute functions they were never meant to execute. The WoW client does not randomly run executable files for the heck of it. The packager does not feel like taking the day off to package a .exe file.

[Gurbz]

So essentially, you're saying that:
1) The WoW client is going to execute arbitrary .exe files in addons' folders, despite it not being intended to do such a thing.
2) The (supposed) file was removed from Curse.com without leaving a trace anywhere. We're talking about a file publicly available on the internet. Your mysterious "friend" is the only one who downloaded the file, and has since deleted it.
3) To follow up on 2), we're talking about a site that gets multiple thousand downloads a day. You claim that the alleged virus came from an external source, yet the curse staff somehow miraculously managed to remove it fast enough for nobody except your "friend" to download the file.
4) You have no proof of any of the above except for the word of your "friend". All information and files involved vanished. Without a trace. On the internet where, as we all know, very few things leave no trace.

However, in case all of the above happen to be true, I will, on behalf of the Curse team, gladly accept your compliment regarding our lightning-fast attack detection and removal of the infringing files. In fact, we were so incredibly good at our job that only a single person in the entire world was affected. I'd call that a success.

PS: Do you subscribe to the thing commonly referred to as "hollywood hacking"? Systems do not "somehow" execute functions they were never meant to execute. The WoW client does not randomly run executable files for the heck of it. The packager does not feel like taking the day off to package a .exe file.

Looks like he's not making it up. A Curse employee posted a comment on the Auctionator page.

I got notifed about it this morning and we've removed the offending file.

A hacker got access to two accounts and used one of them to upload the virus laden file. I've tracked down about five ip addressed and blocked them all, and as of right now it appears to be the only file he infected.

Just downloading the file doesn't cause an infection on your computer. Unless you went in and opened the lnk file you should be fine. The client doesn't open the file automattically.

We've notified the account owners and had they've changed their passwords. We've removed the file, and it's been sent to Blizzard's Warden team and will be submitted to our antivirus manufacture as it bypassed our server's scanner. We're also going to shore up our filters to flag lnk files in the future.

OP: You have to understand that 99% of the time someone comes in claiming a virus came from Curse, they are completely making it up. Thus many of us have become jaded to the point that we just assume all of these reports are fabricated in some way.

[Soisoisoi]

Hi Superbeast2013 and Maev81.

I got notifed about it this morning and we've removed the offending file.

A hacker got access to two accounts and used one of them to upload the virus laden file. I've tracked down about five ip addressed and blocked them all, and as of right now it appears to be the only file he infected.

Just downloading the file doesn't cause an infection on your computer. Unless you went in and opened the lnk file you should be fine. The client doesn't open the file automattically.

We've notified the account owners and had they've changed their passwords. We've removed the file, and it's been sent to Blizzard's Warden team and will be submitted to our antivirus manufacture as it bypassed our server's scanner. We're also going to shore up our filters to flag lnk files in the future.

Seems the author/mod/whatever (blue text) even said it. I'll be damned.

[Deleted]

Hm, I guess I should refresh before posting. A link instructing CMD to open a .txt in .exe mode. Yeah, that'll work.

However:
1. This won't run automatically.
2. We did release a statement. In fact, you just linked me to it.
3. Still, thanks for pointing it out. You could have done it with a bit more facts and a bit less exaggeration, but thanks are still in order.

[Kaneiac]

God damn, what's with the venom in this thread?

[Herecius]

God damn, what's with the venom in this thread?

Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.

[Deleted]

Removed what I have said.

Sorry I understand I could have given more facts etc but that's the only info I had at that time.

[Kaneiac]

Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.

I get that, but you think people from Curse would actually investigate the issue before posting instead of saying "BULLSHIT GO AWAY"

[Deleted]

Because almost every single time somebody says 'Curse sent me a virus,' they are blatantly lying.

The author's account was compromised and the virus was uploaded by his account so no curse didn't send the virus it mearly distributed the file that the author had uploaded to its database.