New Virus-Be on the lookout!

Foofy · **Posted:** Sun Feb 28, 2010 4:15 pm

Stolen from MMOChampion.com

Quote:

Trojan succesfully hacks Authenticator Protected Accounts
A new virus spawned on the internet a few days ago and seems to be the first trojan capable of hacking a WoW account protected by an Authenticator. It was confirmed by Blizzard a few hours ago.
Quote from: Kropacius (Source)
After looking into this, it has been escalated, but it is a Man in the Middle attack.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack

This is still perpetrated by key loggers, and no method is always 100% secure.

Basically, what the virus does is fairly simple after you're infected :

* The next time you log in World of Warcraft, the game asks for your Authenticator code.
* The virus intercepts it, send it to another server, and sends a wrong one to Blizzard = You get an error.
* The people behind the virus now have a few seconds/minutes to use the "real" code while it's valid to change your password / empty your account / guild bank.

How to check if you're infected
Just search for a file named "emcor.dll" on your computer, it is most likely located in "C:\Users\(Your user name)\AppData\Temp" but I suggest that you check everything just to be sure. If you do find the file, delete it and make sure you update your anti-virus to prevent any further problem.

To be honest, if you found this file your account is probably already compromised.

What does it mean exactly?

* Yes, you can get hacked even if you have an authenticator, the chances are MUCH lower but you're not invulnerable.
* It definitely isn't an excuse to not have an authenticator. We're talking about a single virus here and the authenticator will save your ass 99% of the time.
* Get a decent anti-virus, buy an authenticator, you'll be safe.

Erico · **Posted:** Mon Mar 01, 2010 12:12 am

Thanks for letting us know!

kaytie · **Posted:** Mon Mar 01, 2010 5:30 am

Until this morning, it wasn't tripping any of the usual AVs, and Kapersky's the only one I've heard confirmed that it is flagging on. HiJackThis has been marking it as a concern, so I'd advise using that to search for it just in case.

Doviya · **Posted:** Wed Mar 03, 2010 7:53 am

I'm very worried about this. I don't get viruses, but this one scares me. Will definitely run HiJackThis tonight!

Shinryu · **Posted:** Sun Jun 26, 2011 2:26 am

<-- happy he doesn't use an authenticator

lissanna · **Posted:** Wed Jun 29, 2011 6:58 am

Shinryu wrote:

<-- happy he doesn't use an authenticator

Uhm... Without an authenticator, any plain old keylogger can get your account info.

With an authenticator, it is VERY rare to get hacked (maybe a handful of like 10 people with authenticators versus tens of thousands of people without authenticators have been hacked across the years). I'm not sure why you would be happy to not use an authenticator.

This old (March 2010) post addressed a security issue that actually hasn't been a problem lately, since they have changed how authenticators work like twice since this old thread was posted.

Not having an authenticator simply makes you less secure than having an authenticator.

Shinryu · **Posted:** Wed Jun 29, 2011 7:11 pm

Wow...wtf I necroed a thread >.>

Way to go for reading dates/times >.>

Milloux · **Posted:** Mon Jul 04, 2011 7:32 pm

It's been mentioned, but without an authenticator, your password can get bruteforced pretty easily. Happened to me. Authenticator is more security, not less.