[Updated] Trojan warning: Multiple AddOns infected

(Locked)

MVP
100 Human Death Knight
10845
Recently, multiple AddOn author accounts have been compromised, and their AddOns have been replaced with a trojan. All players are encouraged to run a full scan of their computer, and to be particularly careful if they use an AddOn client which automatically downloads and installs updates.

The authorities have been alerted to this incident and are investigating it. My principal concern is that the trojan was not detected by many common and popular anti-malware solutions. For that reason, I would encourage people to avail of the thread by MVP Shammoz linked to below.

[Guide] How to SCAN and SECURE your PC - Part II
http://eu.battle.net/wow/en/forum/topic/900641537

This incident is an excellent reminder of why it's never a good idea to rely on one security program to protect your computer. No anti-virus software has a 100% detection rate, and the more methods you use to keep your computer secure, the better. Regular scans are also highly important.

AddOns known to have been affected;
  • Auctionator - Curse
  • BigWigs - WoWInterface

  • Curse and WoWInterface have since removed the malicious versions of these AddOns, and are combing through their sites to check that no other AddOn was similarly infected. AddOn clients did not activate the trojan; it will be dormant unless you use the .lnk shortcut. If you have one, delete it.
    Edited by Doomsinger on 10/01/2013 17:07 GMT
    90 Human Priest
    13770
    Thankyou for this, was just about to update my addons.
    90 Undead Rogue
    15005
    strange, Do you know if the infection was intended by the author of the addon?
    Customer Service
    Thanks for the warning, just blue tagging so hopefully it'll get more visibility.
    Edited by Lurdlespor on 10/01/2013 14:50 GMT
    MVP
    100 Human Death Knight
    10845
    10/01/2013 14:49Posted by Rofltastic
    strange, Do you know if the infection was intended by the author of the addon?

    It appears that their account was compromised.


    Edit: Thanks Lurdlespor!
    Edited by Doomsinger on 10/01/2013 15:02 GMT
    100 Tauren Warrior
    17895
    What program did you use to detect the trojan ?
    MVP
    100 Human Death Knight
    10845
    It was replaced with a trojan. All you have to do is open the folder and look at it.
    Edited by Doomsinger on 10/01/2013 15:05 GMT
    90 Human Death Knight
    1585
    that's some scary stuff.
    90 Undead Rogue
    15005
    made a copy of your post over on Interface & Macros as Blue asked i'll update it if i see you do, everytime you do, i've also put a link back to here to show its been confirmed by a blue
    MVP
    100 Human Death Knight
    10845
    Thanks. :)
    90 Human Death Knight
    1585
    Some one should inform the U.S forums.
    90 Undead Rogue
    15005
    I dont have an account for US, but someone has posted on the Curse Auctionator page, I checked that
    100 Night Elf Hunter
    19795
    An admin of Curse just removed the file and blocked the hackers IP.
    33 Human Monk
    5840
    Downloaded a bunch of Addons in the last hours, sounds like I could be in some trouble here. Since the addons were replaced with a trojan, would I be safe if the addons I downloaded actually work? Because they all did.
    100 Night Elf Hunter
    19795
    If you have not opened the file inside the unzipped map you have no harm. The game didnt load the file.
    33 Human Monk
    5840
    I extracted the files manually and put them into the Interface/addons folder, since i don't have one of those curse clients that does it for you.
    100 Night Elf Hunter
    19795
    If you only extracted the files there should not be a problem. As long as the trojan horse itselves, was a .ink file, you didnt open there is no harm.
    33 Human Monk
    5840
    I'm not sure I understood you correctly, so I'll describe in more detail what I did:

    1) Downloaded a couple of Addons for Curse.
    2) Extracted the files onto the desktop
    3) This brought up the maps which was the actual Addon, I put these maps in my Addons folder
    4) Loged on to the game, which I assume exectued these files.

    Two exceptions to the above: For one addon, I opened a LUA file to modify the addon. Another addon wasn't actually an addon but textures, so I put these files in the Interface folder (the one that contains the addon folder) instead.

    Would doing the things above endanger the computer?
    MVP
    100 Human Death Knight
    10845
    Keydra,

    Have you downloaded either Auctionator or BigWigs?

    For peace of mind, I'd re-iterate my above suggestion of going through Shammoz's thread.
    33 Human Monk
    5840
    No, neither of those addons. It was tidy plates (and threat plates), chatty, mappy, sarena, HideRaidFrames, ClassPortraitsFinal and Santa UI textures. I might have missed something, but I think that was it. They all did what they were supposed to do.

    Already started on Shammoz list (not in order though, I'm impatient by nature :P), the scan with Microsoft Security Essentials just finished clean (whatever that means, seeing as it's a free scanner).
    This thread is locked.

    Please report any Code of Conduct violations, including:

    Threats of violence. We take these seriously and will alert the proper authorities.

    Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

    Harassing or discriminatory language. This will not be tolerated.

    Forums Code of Conduct

    Report Post # written by

    Reason
    Explain (256 characters max)
    Submit Cancel

    Reported!

    [Close]