Trojan Hijacks World of Warcraft Accounts Even if Authenticator Protection is Enabled

World of WarcraftWorld of Warcraft players are being advised to watch out for a Trojan posing as the Curse Client add-on manager that may lead to their WoW account being hijacked even if they have two-step authentication enabled.

WoW players may have accidentally downloaded the Trojanized Curse Client after searching for “curse client” on major search engines and clicking a link that took them to a fake version of the Curse website, according to a notice posted on the Battle.net forums.

Once installed, the Curse Client Trojan would capture the victim’s username, password and the single-use code generated by authenticators. The Trojan would then relay the login information to attackers and block the user from logging in (therefore the authentication code can still be used), allowing the attackers to hijack the account while the victim scrambles to figure out what went wrong.

How to Check for the Curse Client Trojan

Users can check to see if the malicious version of the Curse Client has been installed on their system by creating an MSInfo file and checking  the Windows start-up list for “Disker” or “Disker64”.

Instructions on how to create an MSInfo file can be seen on the Battle.net forums.

How to Remove the Curse Client Trojan

Users that suspect their PC may have been infected by the Curse Client Trojan should:

  1. Uninstall the Curse Client (an important step since the Trojan wraps a functional copy of the Curse Client).
  2. Scan their computer with Malwarebytes.
  3. Follow instructions in the Battle.net “Help, I got hacked!” article if your account was compromised.

The legitimate Curse Client can safely be downloaded from the official Curse website at www.curse.com.

Like this post? Follow us online by liking us on Facebook, following us on Twitter (@sdpcfix), or circling us on Google+.