If you get big enough, they will come .....

And unfortunately for us, the “they” in this case are thieves, and they came. It appears that the people who are distributing the latest rash of trojans paid us a visit as well. We have determined that two of the mods on the site that have auto-installers were hacked and a trojan inserted. From our investigations, it appears that the incursion was on 30 Nov. Here are the details that you need to be aware of:

If you downloaded either:


KaoMod-20300.001.exe

or:

SewellUI

between 30 Nov and 02 Dec, you may have been infected.


We were first alerted to a possible problem via this thread on the Blizzard forum yesterday, 01 Dec, at 2am my time. ( http://forums.worldofwarcraft.com/thread.html?topicId=3168363293&sid=1 ) We immediately quarantined the mod in question and ran tests on it. It appeared to come up clean, but continued digging determined that there was, in fact, a trojan hiding in it. As we continued to investigate, it became apparent that the person who did this only hit our fs2 (file server 2) database server. At that point (5 am my time), we immediately quarantined our entire fs2 and switched to fs1. fs2 continues to be quarantined until we can be sure that any infections are removed.


What you need to do

If you downloaded either of those files and think you may have been infected, here is what you need to do:

1) Boot into safe mode
2) Delete the bad files (wzcsvbc.dll, mouse.dll, printfpool.exe)
Start --> run --> cmd.exe
Copy and paste the following lines into the box, one by one:
attrib -H -S %systemroot%\system32\wzcsvbc.dll
attrib -H -S %systemroot%\system32\mouse.dll
attrib -H -S %systemroot%\system32\printfpool.exe
del %systemroot%\system32\wzcsvbc.dll
del %systemroot%\system32\mouse.dll
del %systemroot%\system32\printfpool.exe
sc delete printfpool
exit
3) Fix the registry
Start --> run --> regedit
Navigate to My Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC\Parameters
Double-click on "ServiceDLL" and change that value to "%SystemRoot%\System32\wzcsvc.dll" (remove the "b")
4) Reboot
5) Start WoW, and then close it. Do NOT log in.
6) Verify that the bad files don't exist(search your computer for "wzcsvbc.dll" - be sure to search in hidden and system folders)
7) Run a complete anti-virus scan. AntiVir (http://freeav.com) has been known to successfully detect these files.
8) Login to the WoW account management (http://www.worldofwarcraft.com/account/) and change your password.

NOTE: VERY FEW ANTIVIRUS PROGRAMS CURRENTLY PICK THIS TROJAN UP. BE SAFE, SCAN YOUR SYSTEM, BUT VERIFY BY HAND THAT THE BAD FILES NO LONGER EXIST.


What we are doing about this:

We’ve installed another level of firewall on our servers, amongst other things. Effective immediately we will no longer accept any mod packages that include .exe or .msi (self-installers). Authors of existing packages that use self-installers will be contacted and required to change their packages to regular compression (.zip) files only, or removed from the site.


We’re very very sorry this has happened. Never before in the five years that we’ve been running our sites have we had anyone successfully breach our security and imperil our users. Trust that we will do everything we can to try to make sure it never happens again.

Once again, we’re really sorry.

Wow guys I am really sorry to hear that <3 I use your site faithfully for new add-ons and compilations(never those two however). Would it be wise for me to do the scan of the system folder anyways, just in case any others were infected?

I hope you get everything worked out.

It certainly isn't a bad idea.

If you came up positive with printfpool.exe, you should delete the service that it installs.

Start --> run --> "sc delete printfpool" as an administrator will take care of that for you. Be sure to do it after you are clean, however.

Footnote: none of the above are currently being detected by AVG. The only way to verify that you are clean is by looking for yourself.

EDIT: the service by itself is inert and harmless, and not deleting it won't cause keyloggers to come back. However, there is no point to spamming your system logs with error messages and trying to start a service that can't start every time you boot up.

I'm good, I have neither...scan returns no viruses :)

For the concerned, AntiVir (http://freeav.com) picks up the virus when you attempt to install the infected SewellUI package, so if you are concerned about being infected or want to protect yourself against future infections from this virus, you might give that a shot. It's free for personal use and has always served me well.

---

Q u o t e:
good thing the only .exe I run is wowaceupdater.

---

And this means what? Are you making a statement that WAU is immune from having a trojan? If it is, the rest of the computing world would like to know how this immunity was accomplished.

Granted WAU may be low risk, but that does not mean anything.

And sorry to hear that WoWI got hit too :( Though the scope of the infection seems to many orders of magnitude smaller.

---

Q u o t e:
For the concerned, AntiVir (http://freeav.com) picks up the virus when you attempt to install the SewellUI package

---

Please note, the version that was infected is inaccessible, has been since last night. If you are downloading it fresh from the site right now, it's clean, as it is coming from our fs1. fs2 is still in lockdown.

Adrine just has a copy that we have made available to those that want to help tear it apart and trace it back to the culprits that did it.

Glad it was caught. And glad it did not happen during a major patch with having to shut down a file server.

---

Q u o t e:
the pvers because the pvpers would have warriors specced MS and frost mages.

---

WTF is this Kelfarr? Who needs grammar now?

---

Q u o t e:


WTF is this Kelfarr? Who needs grammar now?

---

You know, you are more worthless than the pallies on my raid team.
And I thought that was impossible.

---

Q u o t e:

You know, you are more worthless than the pallies on my raid team.
And I thought that was impossible.

---

You know, paladins are better healers 99% of the time then you Oomers.

Lets get back on topic guys. This is an important thread.

---

Q u o t e:
Lets get back on topic guys. This is an important thread.

---

Sure.

---

Q u o t e:
Can I ask what the heck any of those last posts had to do with the topic of the thread? Please take your ... whatever the heck it is you guys have with each other ... elsewhere, so this thread can remain on topic with helping people if they got the virus.

---

Sorry Cairenn, topic is officially BACK on topic. And that's too bad for the people infected. I do however reccomend they do not d/l files with exe's and always have a firewall/antivirus up.

Well for my 2¢ worth.
Prohibit;
.exe files
.msi files
.bat files
.com files
.vbs files
anything with an absolute path
anything with a path including %system% etc

I would like to see support for better compressions like .rar or .7z as well a .zip though.
Organise some kind of MD5 validation internally between what the Dev uploaded and what is on the server.

I also take it you are looking at how/why fs2 did not propagate the file to fs1.

Also, well handled Cairenn and WoWI!

.scr and .sh files, as well.