Trojan warning: Multiple AddOns infected

[Mehrunes Dagon]

http://eu.battle.net/wow/en/forum/topic/6298062177

Recently, multiple AddOn author accounts have been compromised, and their AddOns have been replaced with a trojan. All players are encouraged to run a full scan of their computer, and to be particularly careful if they use an AddOn client which automatically downloads and installs updates.

The authorities have been alerted to this incident and are investigating it. My principal concern is that the trojan was not detected by many common and popular anti-malware solutions. For that reason, I would encourage people to avail of the thread by MVP Shammoz linked to below.

[Guide] How to SCAN and SECURE your PC - Part II
http://eu.battle.net/wow/en/forum/topic/900641537

This incident is an excellent reminder of why it's never a good idea to rely on one security program to protect your computer. No anti-virus software has a 100% detection rate, and the more methods you use to keep your computer secure, the better. Regular scans are also highly important.

AddOns known to have been affected;
Auctionator - Curse
BigWigs - WoWInterface

Curse and WoWInterface have since removed the malicious versions of these AddOns, and are combing through their sites to check that no other AddOn was similarly infected. AddOn clients did not activate the trojan; it will be dormant unless you use the .lnk shortcut. If you have one, delete it.

[Rotesbart]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved. It would be like someone downloading some photographs, finding that they are lolcatpics.exe, and simply not caring that that is not a picture file format.

Nobody is distributing addons legitimately as binary executables, of any kind (self extracting rar/zip/etc.) So all I can really say is, really?

[Darsithis]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved. It would be like someone downloading some photographs, finding that they are lolcatpics.exe, and simply not caring that that is not a picture file format.

Nobody is distributing addons legitimately as binary executables, of any kind (self extracting rar/zip/etc.) So all I can really say is, really?

You'd be surprised how many people play WoW that are clueless when it comes to computers.

[Deleted]

You can only be infected if you directly click the .exe right? Curse doesnt do that afaik?

[PrairieChicken]

I heard that there are some exe files that auto install addons for people who are lazy / or doesn't know anything about computers

[Roia]

This incident is an excellent reminder of why it's never a good idea to rely on one security program to protect your computer. No anti-virus software has a 100% detection rate, and the more methods you use to keep your computer secure, the better.

While this may be true. It is still NEVER a good idea to install more than one antivirus program on your machine. They will slow your machine to a crawl and will usually conflict with each other.

That being said, if you do want another antiviruses opinion of your system, most vendors have online scanners that you can use for free.

[Blockygame]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved. It would be like someone downloading some photographs, finding that they are lolcatpics.exe, and simply not caring that that is not a picture file format.

Nobody is distributing addons legitimately as binary executables, of any kind (self extracting rar/zip/etc.) So all I can really say is, really?

I really hope you aren't in a position of ever helping anyone with that attitude, people make mistakes, you know, those things that you never make?

[Loaf Lord]

I hope DBM wasn't affected.

[Immitis]

i most likely dont have a trojan (still scanning with avast and spybot just to be sure) i only use like 4 addons and most of them either never need to be updated or only occasionaly.

i only use movequestlog overachiever, auction master, an addon that lets me auto open mail, and recount

[Airwaves]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved. It would be like someone downloading some photographs, finding that they are lolcatpics.exe, and simply not caring that that is not a picture file format.

Nobody is distributing addons legitimately as binary executables, of any kind (self extracting rar/zip/etc.) So all I can really say is, really?

You'd be surprised how many people play WoW that are clueless when it comes to computers.

That would be a person like me. I have no idea what they guy was talking about lol. 99% of wow players would have no idea what his talking about.

[chaos01123]

i heard it got fixed by now but i didn't hear about this when i updated my auctionater with curse client about 2-3 hours ago i'm thinking i'm safe but just in case could someone tell me if i should be fine?

what i did was update said addon using curse client other then that i didn't touch nothing or log into wow. once i heard about this though i ran a scan with MSE, nothing showed up so i uninstalled all my addons just to be safe. then again after uninstalling addons i updated my virus scan to make sure my virus protection was up to date and scanned again with nothing shown up.

i would think i'm fine seeing this was 2-3 hours ago when i did the addon update with out logging in game or messing with it otherwise, along with uninstalling my addons about 1-2 hours after said update.

[Granyala]

Just look if there is any .exe file in your Addon folder. If there is -> delete. If not: you're fine.

That would be a person like me. I have no idea what they guy was talking about lol. 99% of wow players would have no idea what his talking about.

I honestly have no idea how you can operate a computer properly without even the most basic knowledge... but apparently you can... hooray Microsoft? :<

[Reyzzz]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved. It would be like someone downloading some photographs, finding that they are lolcatpics.exe, and simply not caring that that is not a picture file format.

Nobody is distributing addons legitimately as binary executables, of any kind (self extracting rar/zip/etc.) So all I can really say is, really?

I use curse client and never get to see what you talk about (not that I would know what you talk about)

[Deja Thoris]

Given that lua code is (obviously) flat text, and never is compiled into a binary executable, it should be obvious to anybody if they download an addon and its compromised.

Anyone who got infected from such a thing should turn in their geek card, because it's just wrong on so many levels. Hard to even express the level of facepalm would be involved.

Believe it or not, a lot of people use their computers "to do" stuff and don't care about the how's of it. People can and do get caught by this because it's not their area of expertise. You're a computer geek, good for you. Most people aren't, thats not wrong. Whats more wrong about this is that you competely fail to recognise that people have different interests and skillsets.

[Trassk]

Believe it or not, a lot of people use their computers "to do" stuff and don't care about the how's of it. People can and do get caught by this because it's not their area of expertise. You're a computer geek, good for you. Most people aren't, thats not wrong. Whats more wrong about this is that you competely fail to recognise that people have different interests and skillsets.

I agree. I am not in any imagination a tech guy and often even what most tech guys refer to as the basics I don't follow. It staggers me how people go on at length about a certain subject like how to bypass componants in your computer software which is so easy for them, yet they don't think they not everyone knows how to.

I had to show my mother how to install certain programs on her pc, and it didn't bother me that she didn't know or want to. Theres nothing more annoying then a know it all who doesn't take other peoples situations into consideration. Its like having a conversation with Sheldon Cooper

[Buu]

The system they are doing isn't through a *.lnk that access and execute a file through the network?
Going to your addon folder and asking to search all the folders for a *.lnk should do the job, right? Oh and obviously ERASING it.

I don't think a simple trojan scan will do the job, since it's not on the add-on folder. What they are deploying there is the address of the trojan, which is simply a text.

EDIT: If you updated and start WoW already, scan the WHOLE SYSTEM for trojans. It's NOT on the add-on folders, it only used that as entrance. If you didn't start WoW, since the start of this crisis, this search after every update might suffice.

[Deleted]

Believe it or not, a lot of people use their computers "to do" stuff and don't care about the how's of it. People can and do get caught by this because it's not their area of expertise. You're a computer geek, good for you. Most people aren't, thats not wrong. Whats more wrong about this is that you competely fail to recognise that people have different interests and skillsets.

We have licenses and tests for many things, and you can do a lot of damage with a computer. perhaps these people that don't realise an .exe is not a picture should attend computer courses if they intend "to do" stuff on their computer. Here's some hyperbole, you're not allowed to drive a car if you don't know what the accelerate or brake pedals do.

[Deleted]

This incident is an excellent reminder of why it's never a good idea to rely on one security program to protect your computer. No anti-virus software has a 100% detection rate, and the more methods you use to keep your computer secure, the better.

Just no. Having multiple anti-virus systems will cause them to have conflicts with each others, i.e one of them warning the user that the other is a virus and attempting to block the other program when it scans the computer etc.

[Deja Thoris]

We have licenses and tests for many things, and you can do a lot of damage with a computer. perhaps these people that don't realise an .exe is not a picture should attend computer courses if they intend "to do" stuff on their computer. Here's some hyperbole, you're not allowed to drive a car if you don't know what the accelerate or brake pedals do.

Yeah because I can run someone over with my PC. Fantastic analagy there, equating the decent chance to kill someone with the remote possiblity of spreading malware.

Should we have tests for other killers like irons and kettles too?

[Deleted]

Yeah because I can run someone over with my PC. Fantastic analagy there, equating the decent chance to kill someone with the remote possiblity of spreading malware.

Should we have tests for other killers like irons and kettles too?

Someone that is a noob at computers would not know how to spread, obtain or create malware either, no test is needed at all.