World Of Warcraft Trojan

Blizzard is advising all World of Warcraft players to look out for a "dangerous Trojan" that could potentially compromise their accounts. This warning is also being given out to players who are using a authenticator to protect themselves.

According to information from Blizzard's support forum, the malware in question attacks in real time by "stealing both your account information and the authenticator password at the time you enter them." It is worth noting that both mobile and physical authenticator are identified as at-risk.

How to remove the Trojan

The game's developer said the trojan arises from a fake version of the Curse Client. Below is a summary of Blizzards latest findings rom the forum.

"The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!"