Trojan Hijacks World of Warcraft Accounts Even if Authenticator Protection is Enabled
World of Warcraft players are being advised to watch out for a Trojan posing as the Curse Client add-on manager that may lead to their WoW account being hijacked even if they have two-step authentication enabled.
WoW players may have accidentally downloaded the Trojanized Curse Client after searching for “curse client” on major search engines and clicking a link that took them to a fake version of the Curse website, according to a notice posted on the Battle.net forums.
Once installed, the Curse Client Trojan would capture the victim’s username, password and the single-use code generated by authenticators. The Trojan would then relay the login information to attackers and block the user from logging in (therefore the authentication code can still be used), allowing the attackers to hijack the account while the victim scrambles to figure out what went wrong.
How to Check for the Curse Client Trojan
Users can check to see if the malicious version of the Curse Client has been installed on their system by creating an MSInfo file and checking the Windows start-up list for “Disker” or “Disker64”.
Instructions on how to create an MSInfo file can be seen on the Battle.net forums.
How to Remove the Curse Client Trojan
Users that suspect their PC may have been infected by the Curse Client Trojan should:
- Uninstall the Curse Client (an important step since the Trojan wraps a functional copy of the Curse Client).
- Scan their computer with Malwarebytes.
- Follow instructions in the Battle.net “Help, I got hacked!” article if your account was compromised.
The legitimate Curse Client can safely be downloaded from the official Curse website at www.curse.com.