[Updated] Trojan warning: Multiple AddOns infected

Technical Support
Recently, multiple AddOn author accounts have been compromised, and their AddOns have been replaced with a trojan. All players are encouraged to run a full scan of their computer, and to be particularly careful if they use an AddOn client which automatically downloads and installs updates.

The authorities have been alerted to this incident and are investigating it. My principal concern is that the trojan was not detected by many common and popular anti-malware solutions. For that reason, I would encourage people to avail of the thread by MVP Shammoz linked to below.

[Guide] How to SCAN and SECURE your PC - Part II

This incident is an excellent reminder of why it's never a good idea to rely on one security program to protect your computer. No anti-virus software has a 100% detection rate, and the more methods you use to keep your computer secure, the better. Regular scans are also highly important.

AddOns known to have been affected;
  • Auctionator - Curse
  • BigWigs - WoWInterface

  • Curse and WoWInterface have since removed the malicious versions of these AddOns, and are combing through their sites to check that no other AddOn was similarly infected. AddOn clients did not activate the trojan; it will be dormant unless you use the .lnk shortcut. If you have one, delete it.
    Thankyou for this, was just about to update my addons.
    strange, Do you know if the infection was intended by the author of the addon?
    Thanks for the warning, just blue tagging so hopefully it'll get more visibility.
    10/01/2013 14:49Posted by Rofltastic
    strange, Do you know if the infection was intended by the author of the addon?

    It appears that their account was compromised.

    Edit: Thanks Lurdlespor!
    What program did you use to detect the trojan ?
    It was replaced with a trojan. All you have to do is open the folder and look at it.
    that's some scary stuff.
    made a copy of your post over on Interface & Macros as Blue asked i'll update it if i see you do, everytime you do, i've also put a link back to here to show its been confirmed by a blue
    Thanks. :)
    Some one should inform the U.S forums.
    I dont have an account for US, but someone has posted on the Curse Auctionator page, I checked that
    An admin of Curse just removed the file and blocked the hackers IP.
    Downloaded a bunch of Addons in the last hours, sounds like I could be in some trouble here. Since the addons were replaced with a trojan, would I be safe if the addons I downloaded actually work? Because they all did.
    If you have not opened the file inside the unzipped map you have no harm. The game didnt load the file.
    I extracted the files manually and put them into the Interface/addons folder, since i don't have one of those curse clients that does it for you.
    If you only extracted the files there should not be a problem. As long as the trojan horse itselves, was a .ink file, you didnt open there is no harm.
    I'm not sure I understood you correctly, so I'll describe in more detail what I did:

    1) Downloaded a couple of Addons for Curse.
    2) Extracted the files onto the desktop
    3) This brought up the maps which was the actual Addon, I put these maps in my Addons folder
    4) Loged on to the game, which I assume exectued these files.

    Two exceptions to the above: For one addon, I opened a LUA file to modify the addon. Another addon wasn't actually an addon but textures, so I put these files in the Interface folder (the one that contains the addon folder) instead.

    Would doing the things above endanger the computer?

    Have you downloaded either Auctionator or BigWigs?

    For peace of mind, I'd re-iterate my above suggestion of going through Shammoz's thread.
    No, neither of those addons. It was tidy plates (and threat plates), chatty, mappy, sarena, HideRaidFrames, ClassPortraitsFinal and Santa UI textures. I might have missed something, but I think that was it. They all did what they were supposed to do.

    Already started on Shammoz list (not in order though, I'm impatient by nature :P), the scan with Microsoft Security Essentials just finished clean (whatever that means, seeing as it's a free scanner).

    Join the Conversation

    Return to Forum